PalmHashing: a novel approach for dual-factor authentication

Many systems require a reliable personal authentication infrastructure to recognise the identity of a claimant before granting access to him/her. Conventional secure measures include the possession of an identity card or special knowledge like password and personal identification numbers (PINs). These methods are insecure as they can be lost, forgotten and potentially be shared among a group of co-workers for a long time without change. The fact that biometric authentication is convenient and non-refutable makes it a popular approach for a personal identification system. Nevertheless, biometric methods suffer from some inherent limitations and security threats. A more practical approach is to combine two-factor or more authenticators to achieve a higher level of security. This paper proposes a novel dual-factor authenticator based on the iterated inner product between tokenised pseudo-random numbers and user-specific palmprint features. This process generates a set of user-specific compact code called PalmHash, which is highly tolerant of data offset. There is no deterministic way to get the user-specific code without having both PalmHash and the user palmprint feature. This offers strong protection against biometric fabrication. Furthermore, the proposed PalmHashing technique is able to produce zero equal error rate (EER) and yields clean separation of the genuine and imposter populations. Hence, the false acceptance rate (FAR) can be eliminated without suffering from the increased occurrence of the false rejection rate (FRR).This revised version was published online in August 2004 with corrections to the section numbers.     

A password extension for improved human factors

To maximize both the difficulty of guessing passwords and also the ease of remembering passwords, we use a fairly large keyspace (64 bits) and a very long “passphrase” (up to 80 characters). The phrase is hashed into the key, which is then stored in encrypted form. The hashing necessarily includes one-way encryption. Since the phrase is long, one would expect a large keyspace for the actual phrase as well as for the hashed phrase. Since the phrase is meaningful to the owner it should be easier to remember.     

Internet密钥交换协议的安全缺陷分析

IKE(Internet key exchange,RFC2409)提供了一组Internet密钥交换协议,目的是在IPSec(IP security)通信双方之间建立安全联盟和经过认证的密钥材料.随后有学者发现IKE协议存在一个安全缺陷,并给出相应的修改建议.指出了修改后的IKE协议仍然存在类似的安全缺陷,并描述了一个成功的攻击.在给出修改建议的同时,成功地利用BAN逻辑分析了导致这两个安全缺陷的原因.     

一种可证安全的基于浏览器的联合身份管理双向认证协议

提出了一种基于浏览器的联合身份管理双向认证协议, 在TLS会话中采用人类可感知认证码验证身份权威服务器, 通过绑定客户端证书结合加强同源策略达到双向保护令牌的目的。最后用形式化模型分析了其安全性, 证明了协议能够提供安全的认证。