oPass: A user authentication protocol resistant to password stealing and password reuse attacks

IEEE Transactions on Information Forensics and Security

Volumn 7, Issue 2, 2012, Pages 651-663

  Sun, Hung Min ^a   Chen, Yao Hsin ^a   Lin, Yue Hsun ^a  

^a NATIONAL TSING HUA UNIVERSITY   (Taiwan)

Author keywords

Network security; password reuse attack; password stealing attack; user authentication

Indexed keywords

CELL PHONE; DOMINO EFFECTS; KEYLOGGERS; MALWARES; PASSWORD REUSE ATTACK; PASSWORD STEALING ATTACK; PHISHING; PHONE NUMBER; SHORT MESSAGE SERVICES; TELECOMMUNICATION SERVICE PROVIDER; TEXT PASSWORD; THREATS AND VULNERABILITIES; USER AUTHENTICATION; USER AUTHENTICATION PROTOCOLS; WEB AUTHENTICATION;

COMPUTER CRIME; NETWORK PROTOCOLS; NETWORK SECURITY; WEBSITES;

AUTHENTICATION;

EID: 84863343959     PISSN: 15566013     EISSN: None     Source Type: Journal    
DOI: 10.1109/TIFS.2011.2169958     Document Type: Conference Paper

References (48)

1. B. Ives, K. R. Walsh, and H. Schneider, "The domino effect of password reuse," Commun. ACM, vol. 47, no. 4, pp. 75-78, 2004.
2. S. Gawand E. W. Felten, "Password management strategies for online accounts," in SOUPS '06: Proc. 2nd Symp. Usable Privacy . Security, New York, 2006, pp. 44-55, ACM.
3. D. Florencio and C. Herley, "A large-scale study of web password habits," in WWW '07: Proc. 16th Int. Conf. World Wide Web., New York, 2007, pp. 657-666, ACM.
4. S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, "Multiple password interference in text passwords and click-based graphical passwords," in CCS '09: Proc. 16th ACM Conf. Computer Communications Security, New York, 2009, pp. 500-511, ACM.
5. I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, "The design and analysis of graphical passwords," in SSYM'99: Proc. 8th Conf. USENIX Security Symp., Berkeley, CA, 1999, pp. 1-1, USENIX Association.
6. A. Perrig and D. Song, "Hash visualization: A new technique to improve real-world security," in Proc. Int.Workshop Cryptographic Techniques E-Commerce, Citeseer, 1999, pp. 131-138.
7. J. Thorpe and P. van Oorschot, "Towards secure design choices for implementing graphical passwords," presented at the 20th. Annu. Computer Security Applicat. Conf., 2004.
8. S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, "Passpoints: Design and longitudinal evaluation of a graphical password system," Int. J. Human-Computer Studies, vol. 63, no. 1-2, pp. 102-127, 2005.
9. S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, "Design and evaluation of a shoulder-surfing resistant graphical password scheme," in AVI '06: Proc. Working Conf. Advanced Visual Interfaces, New York, 2006, pp. 177-184, ACM.
10. B. Pinkas and T. Sander, "Securing passwords against dictionary attacks," in CCS '02: Proc. 9th ACM Conf. Computer Communications Security, New York, 2002, pp. 161-170, ACM.
11. J. A. Halderman, B. Waters, and E. W. Felten, "A convenient method for securely managing passwords," in WWW '05: Proc. 14th Int. Conf. World Wide Web, New York, 2005, pp. 471-479, ACM.
12. K.-P. Yee and K. Sitaker, "Passpet: Convenient password management and phishing protection," in SOUPS '06: Proc. 2nd Symp. Usable Privacy Security, New York, 2006, pp. 32-43, ACM.
13. S. Chiasson, R. Biddle, and P. C. van Oorschot, "A second look at the usability of click-based graphical passwords," in SOUPS '07: Proc. 3rd Symp. Usable Privacy Security, New York, 2007, pp. 1-12, ACM.
14. K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno, "A comprehensive study of frequency, interference, and training of multiple graphical passwords," in CHI '09: Proc. 27th Int. Conf. Human Factors Computing Systems, New York, 2009, pp. 889-898, ACM.
15. J. Thorpe and P. C. van Oorschot, "Graphical dictionaries and thememorable space of graphical passwords," in SSYM'04: Proc. 13th Conf. USENIX Security Symp., Berkeley, CA, 2004, pp. 10-10, USENIX Association.
16. J. Thorpe and P. C. van Oorschot, "Human-seeded attacks and exploiting hot-spots in graphical passwords," in SS'07: Proc. 16th USENIX Security Symp. USENIX Security, Berkeley, CA, 2007, pp. 1-16, USENIX Association.
17. P. van Oorschot, A. Salehi-Abari, and J. Thorpe, "Purely automated attacks on passpoints-style graphical passwords," IEEE Trans. Information Forensics Security, vol. 5, no. 3, pp. 393-405, Sep. 2010.
18. R. Dhamija, J. D. Tygar, andM. Hearst, "Why phishing works," in CHI '06: Proc. SIGCHI Conf. Human Factors Computing Systems, New York, 2006, pp. 581-590, ACM.
19. C.Karlof,U. Shankar, J. D.Tygar, andD.Wagner, "Dynamic pharming attacks and locked same-origin policies for web browsers," in CCS '07: Proc. 14th ACMConf. Computer Communications Security, NewYork, 2007, pp. 58-71, ACM.
20. T. Holz, M. Engelberth, and F. Freiling, "Learning more about the underground economy:Acase-study of keyloggers and dropzones," Proc. Computer Security ESORICS 2009, pp. 1-18, 2010.
21. N. Provos, D. Mcnamee, P. Mavrommatis, K. Wang, and N. Modadugu, "The ghost in the browser: Analysis of web-based malware," in Proc. 1st Conf. Workshop Hot Topics in Understanding Botnets, Berkeley, CA, 2007.
22. Phishing Activity Trends Rep., 2nd Quarter/2010 Anti-Phishing Working Group [Online]. Available: http://www.antiphishing.org/
23. B. Parno, C. Kuo, and A. Perrig, "Phoolproof phishing prevention," Financial Cryptography Data Security, pp. 1-19, 2006.
24. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, "Panorama: Capturing system-wide information flow for malware detection and analysis," in CCS '07: Proc.e 14th ACM Conf. Computer Communications Security, New York, 2007, pp. 116-127, ACM.
25. S. Garriss, R. Cáceres, S. Berger, R. Sailer, L. van Doorn, and X. Zhang, "Trustworthy and personalized computing on public kiosks," in Proc. 6th Int. Conf. Mobile Systems, Applications Services, 2008, pp. 199-210, ACM.
26. RSA SecureID [Online]. Available: http://www.rsa.com/node. aspx?id=1156/
27. L. O'Gorman, "Comparing passwords, tokens, and biometrics for user authentication," Proc. IEEE, vol. 91, no. 12, pp. 2021-2040, Dec. 2003.
28. L. Lamport, "Password authentication with insecure communication," Commun. ACM, vol. 24, pp. 770-772, Nov. 1981.
29. H. Gilbert and H. Handschuh, "Security analysis of SHA-256 and sisters," in Selected Areas Cryptography, 2003, pp. 175-193, Springer.
30. TS 23.040: Technical Realization Short Message Service (SMS) 3GPP [Online]. Available: http://www.3gpp.org/
31. I. T. Report, ITU Internet Rep. 2006: Digital.Life [Online]. Available: http://www.itu.int/
32. TS 35.201: Specification 3GPP Confidentiality Integrity Algorithms Document 1: f8 and f9 Specification 3GPP [Online]. Available: http://www.3gpp.org/
33. TS 35.202: Specification 3GPP Confidentiality Integrity Algorithms Document 2: KASUMI Specification 3GPP [Online]. Available: http://www.3gpp.org/
34. B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell, "Stronger password authentication using browser extensions," in SSYM'05: Proc. 14th Conf. USENIX Security Symp., Berkeley, CA, 2005, pp. 2-2, USENIX Association.
35. M. Bellare and C. Namprempre, "Authenticated encryption: Relations among notions and analysis of the generic composition paradigm," Advances Cryptology-ASIACRYPT 2000, pp. 531-545, 2000.
36. H. Krawczyk, "The order of encryption and authentication for protecting communications (or: How secure is SSL?)," in Advances Cryptology- CRYPTO 2001, 2001, pp. 310-331.
37. B. Blanchet, ProVerif: Cryptographic Protocol Verifier Formal Model [Online]. Available: http://www.proverif.ens.fr/
38. B. Blanchet, "An efficient cryptographic protocol verifier based on prolog rules," in Proc. 14th IEEE Computer Security Foundations Workshop, 2001, pp. 82-96.
39. M. Weir, S. Aggarwal, M. Collins, and H. Stern, "Testing metrics for password creation policies by attacking large sets of revealed passwords," in Proc. 17th ACM Conf. Computer Communications Security, New York, 2010, pp. 162-175, ACM.
40. T. Delenikas et al., SMSLib API-Java Library for Sending/Receiving SMS [Online]. Available: http://smslib.org/
41. M.Wu, S. Garfinkel, and R. Miller, "Secure web authentication with mobile phones," in DIMACS Workshop Usable Privacy Security Software, Citeseer, 2004.
42. E. Barkan and E. Biham, "Conditional estimators: An effective attack on A5/1," in Selected Areas in Cryptography. NewYork:Springer, 2006, pp. 1-19.
43. M. Mannan and P. van Oorschot, "Using a personal device to strengthen password authentication from an untrusted computer," Financial Cryptography Data Security, pp. 88-103, 2007.
44. J.McCune, A. Perrig, andM. Reiter, "Bump in the ether: A framework for securing sensitive user input," in USENIX Annu. Tech. Conf., 2006, pp. 185-198.
45. C. Yue and H. Wang, "SessionMagnifier: A simple approach to secure and convenient kiosk browsing," in Proc. 11th Int. Conf. Ubiquitous Computing, 2009, pp. 125-134, ACM.
46. D. Wendlandt, D. G. Andersen, and A. Perrig, "Perspectives: Improving ssh-style host authentication with multi-path probing," in Proc. USENIX 2008 Annu. Tech. Conf., Berkeley, CA, 2008, pp. 321-334, USENIX Association.
47. S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, "Emperor's new security indicators: An evaluation of website authentication and the effect of role playing on usability studies," in Proc. 2007 IEEE Symp. Security Privacy, 2007.
48. R. Biddle, S. Chiasson, and P. van Oorschot, "Graphical passwords: Learning from the first twelve years," in ACM Computing Surveys, Carleton Univ., 2010.