On the Limits of Anonymous Password Authentication



Similar documents
MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Capture Resilient ElGamal Signature Protocols

SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTING SECURITY ENVIRONMENT

Secure Remote Password (SRP) Authentication

EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE

Single Sign-On Secure Authentication Password Mechanism

Multi-User Searchable Encryption in the Cloud. Cédric Van Rompay, Refik Molva, and Melek Önen ISC 2015 September 10, 2015 Trondheim, Norway

Electronic Contract Signing without Using Trusted Third Party

Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing

Index-Terms - S-Box Key Exchange, DSKE Method, And Three Layer Security, Modified Diffie-Hellman Key Exchange.

Providing Data Protection as a Service in Cloud Computing

Attacks on the Pairing Protocol of Bluetooth v2.1

Chapter 16: Authentication in Distributed System

Dynamic Query Updation for User Authentication in cloud Environment

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

An Efficient Multi-Keyword Ranked Secure Search On Crypto Drive With Privacy Retaining

Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing

Secure Deduplication of Encrypted Data without Additional Independent Servers

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

A Secure Hardware Based Multifarious Component Authentication Technique Using USB for Cloud Environment

SECURITY ENHANCEMENT OF GROUP SHARING AND PUBLIC AUDITING FOR DATA STORAGE IN CLOUD

RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACY-PRESERVING MECHANISM

Data Storage Security in Cloud Computing for Ensuring Effective and Flexible Distributed System

Cryptanalysis and security enhancement on the generation of Mu-Varadharajan electronic voting protocol. Vahid Jahandideh and Amir S.

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE

Authenticated Key Exchange Secure Against Dictionary Attacks

Security Analysis of a Multi-Factor Authenticated Key Exchange Protocol

Securing MANET Using Diffie Hellman Digital Signature Scheme

Survey on Efficient Information Retrieval for Ranked Query in Cost-Efficient Clouds

SECURE CLOUD STORAGE PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD

A Generic Framework to Enhance Two- Factor Authentication in Cryptographic Smart-card Applications

Efficient Unlinkable Secret Handshakes for Anonymous Communications

A Survey on Optimistic Fair Digital Signature Exchange Protocols

Client Server Registration Protocol

A secure login system using virtual password

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve

Strengthen RFID Tags Security Using New Data Structure

EFFICIENT AND SECURE DATA PRESERVING IN CLOUD USING ENHANCED SECURITY

Server-Assisted Generation of a Strong Secret from a Password

Enabling Public Auditing for Secured Data Storage in Cloud Computing

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

An Efficiency Keyword Search Scheme to improve user experience for Encrypted Data in Cloud

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Why Password- Enabled PKI

DYNAMIC SESSION KEY EXCHANGE METHOD USING TWO S-BOXES

How to Protect Peer-to-Peer Online Games from Cheats

DDoS-blocker: Detection and Blocking of Distributed Denial of Service Attack

Password-Enabled PKI: Virtual Smartcards versus Virtual Soft Tokens

Enterprise effectiveness of digital certificates: Are they ready for prime-time?

Secure Authentication of Distributed Networks by Single Sign-On Mechanism

The Security Behind Sticky Password

DELEGATING LOG MANAGEMENT TO THE CLOUD USING SECURE LOGGING

Keywords-- Cloud computing, Encryption, Data integrity, Third Party Auditor (TPA), RC5 Algorithm, privacypreserving,

A More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC

CONSIDERATION OF DYNAMIC STORAGE ATTRIBUTES IN CLOUD

Security over Cloud Data through Encryption Standards

Multi-Factor Password-Authenticated Key Exchange

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Secrecy Maintaining Public Inspecting For Secure Cloud Storage

Data management using Virtualization in Cloud Computing

Erasure correcting to enhance data security in cloud data storage

Design an efficient three-party authenticated key exchange protocol in the cloud environment

International Journal of Advance Research in Computer Science and Management Studies

Efficient and Secure Authenticated Key Exchange Using Weak Passwords

A COMPARATIVE STUDY OF SECURE SEARCH PROTOCOLS IN PAY- AS-YOU-GO CLOUDS

International Conference on Web Services Computing (ICWSC) 2011 Proceedings published by International Journal of Computer Applications (IJCA)

PRIVACY PRESERVING PUBLIC AUDITING FOR SECURED DATA STORAGE IN CLOUD USING BLOCK AUTHENTICATION CODE

SECURE RE-ENCRYPTION IN UNRELIABLE CLOUD USINGSYNCHRONOUS CLOCK

ADVANCE SECURITY TO CLOUD DATA STORAGE

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

An Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication

Hardware and Software Security

Enhancing Data Security in Cloud Storage Auditing With Key Abstraction

Transcription:

On the Limits of Anonymous Password Authentication Yan-Jiang Yang a Jian Weng b Feng Bao a a Institute for Infocomm Research, Singapore, Email: {yyang,baofeng}@i2r.a-star.edu.sg. b School of Computer Science, Jinan University, Guangzhou, P.R.China, Email: cryptjweng@gmail.com. Abstract: Password authentication is the most commonly accepted means for entity authentication. To meet the increasing need of preserving individual privacy, anonymous password authentication has been proposed recently, to augment password authentication with the protection of user privacy. In this paper, we analyze the weaknesses inherent to anonymous password authentication, which make it questionable for the practicality of anonymous password authentication in real applications. We also show that all the existing anonymous password authentication schemes may subject to undetectable on-line dictionary attacks. Keywords: password authentication, unlinkability, undetectable on-line dictionary attacks AMS Subject classification: 65N30 1. Introduction Using password for entity authentication has been the common practice since the advent of computers, and is still the case today. Every day, there are probably billions of instances of password usage in cyberspace. The wide acceptance of password authentication is due to the fact that password authentication requires no dedicated devices, and a user only needs to memorize his passwords for authentication. However, the weak aspect of password authentication is that passwords are normally drawn from a relatively small space, and short to be memorizable; thus they are subject to brute-force dictionary/guessing attacks. Dictionary attacks can be on-line or off-line. In an on-line dictionary attack, the attacker tries to login to the server in the name of

2 the victim user by trying a different password each time until finds the correct one. In an off-line dictionary attack, the attacker does not need to interact with the server; rather, it collects the protocol transcript of a login session between a user and the server, and then checks all possible passwords against the login transcript to determine the actual one. On-line dictionary attacks are inevitable in password authentication, but can be easily addressed at the system level by locking a user s account once the number of repetitive unsuccessful login attempts towards that account passes a threshold. In contrast, off-line dictionary attacks are notoriously harder to address, and they must be addressed at the protocol level. Nowadays, users are becoming increasingly concerned about individual privacy, and they prefer to concealing identification information when accessing online services. However, we know that in its original form, password authentication does not protect user privacy. To see this, the setting of password authentication is as follows: each user needs to register his/her password to the server in advance, so that the server maintains a password file containing all users passwords. Then, to login to the server, a user needs to provide his ID to the server, who then uses the corresponding password to engage in the authentication protocol with the user who also uses the password. To achieve the objective of privacy protection, recently anonymous password authentication [11 13] has been proposed to augment password authentication with the protection of user privacy. In particular, anonymous password authentication offers unlinkability, i.e., the server should not be able to link different login transactions from the same user. Anonymous password authentication seems to be a promising privacy-preserving primitive, considering the wide use of password authentication in practice. However, in this paper we refute the practicality of anonymous password authentication in real world applications, by pointing out several weaknesses of anonymous password authentication. Note that these weaknesses are inherent to anonymous password authentication as a whole, not specific to certain anonymous password authentication schemes. We also show that all the existing anonymous password authentication schemes [1,11 13] may subject to undetectable on-line dictionary attacks [6], where the server does not realize the happening of on-line dictionary attacks. To make our analysis concrete,

3 we will take the latest anonymous password authentication scheme [13] (referred to as the YZ scheme hereafter) as an example. Organization. The rest of the paper is organized as follows. In Section 2, we review the related work. In Section 3, we review the YZ scheme, based on which we then show that all the existing anonymous password authentication schemes may be vulnerable to undetectable online dictionary attacks. We analyze the limits of anonymous password authentication in Section 4, and Section 5 concludes the paper. 2. Related work Password authentication can be categorized into two approaches, depending on whether or not public key primitives (e.g., public key encryption and digital signature) are involved: public-key-assisted approach, and password-only approach. In the public-key-assisted approach, the server has a public/private key pair for encryption/signature at its disposal, while the users use passwords. Examples of public-keyassisted password authentication schemes include [5,7,8]. The use of a public key primitive by the server can simplify protocol design, but requires the deployment of PKI (Public Key Infrastructure) for certification. In contrast, the password-only approach does not involve any public key primitive, thereby eliminating the dependence on PKI. The password-only approach, or password authenticated key exchange (PAKE), has been extensively studied in the literature, e.g., [2 4,9,10]. It is well known that password authentication does not protect user privacy, because the server needs to know the logining user s ID and then uses the corresponding password in the password file to authenticate the user. To achieve the protection of user privacy, anonymous password authentication was proposed. The first anonymous password authentication scheme was due to [12], which combines a password-only protocol with a PIR (Private Information Retrieval) protocol. The passwordonly protocol is used to generate a shared key between the user and the server, and the PIR protocol is used to achieve user privacy protection. Subsequently, new anonymous password authentication schemes were given in [11]. These new schemes also rely on PIR to preserve user privacy, but the PIR protocol they use is the trivial construction, i.e., the server passes a whole database to the user. [1] considered threeparty (i.e., user-gateway-server) anonymous password authentication,

4 and the proposed protocol also uses PIR to attain user privacy. The latest anonymous password authentication scheme is [13], which uses the trivial PIR solution as well. This scheme is the most efficient compared to other schemes, as part of the computation by the server can be done off-line. We notice that all the above anonymous password authentication schemes belong to the password-only approach. 3. Undetectable on-line dictionary attacks 3.1 Review of the YZ scheme. To make our analysis in the rest of the paper concrete, we take the latest YZ scheme in [13], as an example. While there are minor differences, other anonymous password authentication schemes [1,11,12] can be viewed as variants of the YZ scheme. Figure 1 shows a version of the YZ scheme, where a single user Figure 1. The YZ scheme

5 logins to the server. We refrain from further elaborating on the scheme, as the description in Figure 1 is already clear and self-contained. 3.2 Undetectable on-line dictionary attacks. Note that in the YZ scheme in Figure 1, there is no explicit authentication of the user by the server. To be fair, this is not an issue from the key establishment point of view, because of the fact that the user is not able to establish the correct shared key sk unless he uses a valid password. However, this may cause undetectable on-line dictionary attacks, where the server is not aware of the presence of on-line dictionary attacks. To see this, there are two cases to be considered, depending on the usage of the shared session key sk in the subsequent communication between the user and the server. (1) In some applications (e.g., FTP services), the server simply needs to push data to the user, and thus the session key is only needed to protect the channel from the server to the user. In this case, undetectable on-line dictionary attacks clearly apply, since the server does not know whether or not the user has established the correct key. (2) In many other applications, the shared key will be used by the user to interact with the server. In this case, undetectable on-line dictionary attacks are avoided, because the server will learn in retrospection that whether the key used by the user is correct or not. We notice that other anonymous password authentication schemes [1,11,12] have the same problem, lacking explicit authentication of the user by the server. Thus, they may also suffer from the undetectable on-line dictionary attacks. 4. Limits of anonymous password authentication We now analyze the limitations of anonymous password authentication. These limits are inherent to anonymous password authentication as a whole, not specific to certain schemes. Based on these limits, we have reasons to suspect whether anonymous password authentication is indeed practically useful. Limitation 1. Server computation O(n): It is clear that the computation overhead upon the server is O(n), linear with n, the total number of users. The reason is that the server s computation has to involve all user passwords in order to achieve unlinkability; otherwise, those un-touched passwords by the server must not be the requesting user s. To be specific, let us now turn to the YZ scheme in Figure 1:

6 for a login request, the server has to compute {A j } 1 j n. The server s computation is thus O(n). In practice, O(n) of server computation will cause the scalability problem in large systems with a large number of users, making the server the bottleneck of the systems. This means that in principle, anonymous password authentication can only be feasible in small systems. Limitation 2. On-line dictionary attacks: As we mentioned earlier, on-line dictionary attacks are easy to address in password authentication, by mandating the number of repetitive failed login attempts made by a user, such that his/her account is locked as long as the failed login attempts pass a threshold. However, in anonymous password authentication, addressing on-line dictionary attacks is not that easy. The reason is that the server cannot discern users in anonymous password authentication. Thus even if the server realizes that there are on-line dictionary attacks, it does not know the victim user. As such, there seems no better way than locking all users accounts. It is clearly not acceptable practice in real applications to affect innocent users. Note that asking users to frequently update their passwords cannot solve the problem, since on-line dictionary attacks can happen at any time. Limitation 3. Passive server: In anonymous password authentication, the server should be assumed passive; otherwise, unlinkability cannot be achieved (note that a passive entity is honest, but tries to find out more useful information from the data it is supposed to get; in contrast, a malicious entity can behave arbitrarily in order to achieve its objective). To see this, recall that the server needs to touch every password in order to respond to a user s login request: if the server is malicious, it can always use a different data on different passwords (to compute the shared session key), and then determines the password the user uses from the associated data. To be specific, let us again turn to the YZ scheme in Figure 1. Instead of using the same r s, the server can use a distinct r sj to compute different A j, 1 j n. Subsequently, the server can determine which password the user uses from the session key established between them. Here, we assume that measures are in place to prevent undetectable online dictionary attacks (e.g., the server explicitly authenticates the user), so that the server can know which r sj is used to compute the shared key. Passive server is a quite strong assumption, and it may not easy to find

7 a server of this nature in practice. 5. Conclusion In this paper, we first showed that all the existing anonymous password authentication schemes are subject to undetectable on-line dictionary attacks, in the applications where the established session key is only needed to protect the channel from the server to the user. We then analyzed several weaknesses, inherent to anonymous password authentication. These weaknesses make us to suspect the practicality of anonymous password authentication in real world applications. References [1] M. Abdalla, M. Izabachene, and D. Pointcheval. Anonymous and transparent gateway-based password-authenticated key exchange. Proc. International Conference on Cryptology and Network Security, CANS 08(2008), pp. 133-148. [2] E. Bresson, O. Chevassut, and D. Pointcheval. Security proofs for an efficient password-based key exchange. Proc. ACM. Computer and Communication Security(2003), pp. 241-250. [3] S. Bellovin and M. Merritt. Encrypted key exchange: password-based protocols secure against dictionary attacks. Proc. IEEE Symposium on Research in Security and Privacy(1992), pp. 72-84. [4] S. Bellovin and M. Merritt. Augmented encrypted key exchange: a passwordbased protocol secure against dictionary attacks and password file compromise. Proc. ACM. Computer and Communication Security(1993), pp. 244-250. [5] M.K. Boyarsky. Public-key cryptography and password protocols: the multiuser case. Proc. ACM Conference on Computer and Communication Security(1999), pp. 63-72. [6] Y. Ding and P. Horster. Undetectable on-line password guessing attacks. ACM SIGOPS Operating Systems Review, Vol. 29(4)(1995), pp. 77-86. [7] L. Gong, M. Lomas, R. Needham, and J. Saltzer. Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Seclected Areas in Communications, 11(5)(1993), pp. 648-656. [8] S. Halevi, and H. Krawczyk. Public-key cryptography and password protocols. Proc. ACM. Computer and Communication Security, CCS 98(1998), pp. 122-131. [9] J. Katz, R. Ostrovsky, and M. Yung. Efficient password-authenticated key exchange using human-memorable passwords. Proc. Advances in Cryptology, Eurocrypt 01, LNCS 2045(2001), pp. 475-494. [10] M.H.Nguyen, and S.P. Vadhan. Simpler session-key generation from short random passwords. Proc. Theory of Cryptography, TCC 04(2004), pp. 428-445.

8 [11] S. Shin, K. Kobara, and H. Imai. A secure construction for threshold anonymous password-authenticated key exchange. IEICE Transactions on Fundamentals, Vol. E91-A, No. 11(2008), pp. 3312-3323. [12] D. Q. Viet, A. Yamamura, and T. Hidema. Anonymous password-based authenticated key exchange. Proc. Indocrypt 2005, LNCS 3797(2005), pp. 233-257. [13] J. Yang and Z. Zhang. A new anonymous password-based authenticated key exchange protocol. Proc. Indocrypt 2008, pp. 200-212.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information