Addressing online dictionary attacks with login histories and humans-in-the-loop (extended abstract)

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 3110, Issue , 2004, Pages 39-53

  Stubblebine, S ^a   Van Oorschot, P C ^b  

^a Stubblebine Research Labs LLC   (United States)

^b CARLETON UNIVERSITY   (Canada)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTERS;

EXTENDED ABSTRACTS; HUMAN-IN-THE-LOOP; LEGITIMATE USERS; ONLINE DICTIONARY ATTACKS; PRELIMINARY ANALYSIS; PROTOCOL PARAMETERS; REVERSE TURING TEST; USER FRIENDLINESS;

ARTIFICIAL INTELLIGENCE;

EID: 35048814173     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-27809-2_5     Document Type: Article

References (27)

1. M. Abadi, M. Burrows, M. Manasse, T. Wobber, "Moderately Hard, Memory-bound Functions", NDSS'03, San Diego, February 2003.
2. R. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2001.
3. S. Bellovin, M. Merritt, "Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attack", Proc. IEEE Symp. Research in Security and Privacy, Oakland, May 1992.
4. S. Byers, A. Rubin, D. Kormann, "Defending Against an Internet-based Attack on the Physical World", Workshop on Privacy in the Electronic Society (WPES'02), November 21 2002, Washington D.C.
5. CAPTCHA Project web site, http://www.captcha.net/ (first appeared: 2000).
6. W. Diffie, M. Hellman, "New Directions in Cryptography", IEEE Trans. Info. Theory vol.22 (1976), pp.644-654.
7. W. Diffie, P.C. van Oorschot, M.J. Wiener, "Authentication and Authenticated Key Exchange", Designs, Codes and Cryptography vol.2 (1992), 107-125.
8. C. Dwork, M. Naor, "Pricing via Processing or Combatting Junk Mail", Lecture Notes in Computer Science 740 (Proceedings of CRYPTO'92), 1993, pp. 137-147.
9. Password Usage, Federal Information Processing Standards Publication 112, U.S. Department of Commerce, NIST, 1985.
10. Automated Password Generator, FIPS Pub 112, U.S. Dept. Commerce, 1993.
11. W. Ford, B. Kaliski, "Server-Assisted Generation of a Strong Secret from a Password", 9th Int'l Workshop on Enabling Technologi (WET-ICE 2000), IEEE, 2000.
12. L. Gong, "Verifiable-text attacks in cryptographic protocols", 1990 IEEE INFOCOM, pp.686-693.
13. L. Gong, T. Lomas, R. Needham, J. Saltzer, "Protecting poorly chosen secrets from guessing attacks", IEEE J. Selected Areas Comm. vol.11 (1993), pp.648-656.
14. D. Jablon, "Strong password-only authenticated key exchange", ACM Computer Communcations Review, Oct.1996.
15. A. Juels, J. Brainard, "Client puzzles: A cryptographic defense against connection depletion attacks", Proceedings of the 1999 ISOC Network and Distributed System Security Symposium, pp.151-165, 1999.
16. C. Kaufman, R. Perlman, M. Speciner, Network Security: Private Communication in a Public World, Second Edition, Prentice Hall, 2002.
17. T. Lomas, L. Gong, J. Saltzer, R. Needham, "Reducing risks from poorly chosen keys", Operating Systems Review vol.13, pp.14-18 (presented at 1989 ACM Symp. on Operating Systems Principles).
18. A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997.
19. M. Naor, "Verification of a human in the loop or Identification via the Turing Test", unpublished manuscript, 1997. Online version available at: http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.ps
20. B. Pinkas, T. Sander, "Securing Passwords Against Dictionary Attacks", 2002 ACM Conf. on Computer and Communications Security, Wash. D.C.
21. L. von Ahn, Eurocrypt'03 presentation of [22], 6 May 2003, Warsaw, Poland.
22. L. von Ahn, M. Blum, N. Hopper, J. Langford, "CAPTCHA: Using Hard AI Problems for Security", Eurocrypt'03 proceedings, Springer-Verlag, LNCS 2656 (2003).
23. T. Wu, "The secure remote password protocol", Internet Society 1998 Network and Distributed System Security symposium (NDSS'98).
24. T. Wolverton, Hackers find new way to bilk eBay users, CNET news.com 03/25/02.
25. J. Yan, "A Note on Proactive Password Checking", Proc. 2001 ACM New Security Paradigms Workshop, New Mexico, USA, Sept.2001.
26. J. Yan, A. Blackwell, R. Anderson, A. Grant, "The Memorability and Security of Passwords - Some Empirical Results", Tech. Report 500, Computer Lab, Cambridge, 2000. http://www.ftp.cl.cam.ac.uk/ftp/rja14/tr500.pdf.
27. P. Zimmermann, The Official PGP User's Guide, MIT Press, 1995.