Secure Graphical One Time Password (GOTPass): An Empirical Study

ABSTRACT

The traditional text-based password has been the default security medium for years; however, the difficulty of memorizing secure strong passwords often leads to insecure practices. A possible alternative solution is graphical authentication, which is motivated by the fact that the capability of humans’ memory for images is superior to text, which helps to improve password usability and security. Recently, some implementations of graphical authentication techniques have been deployed in practice. This paper introduces a new hybrid graphical authentication, “GOTPass,” that authenticates by means of a one-time numerical code that needs to be typed in based on a sequence of secret images and a prechosen input format. An important focus for this paper was the security aspects of the graphical password scheme. This paper reports an in-depth analysis of the security evaluation and shows a high resistance capability of GOTPass against common graphical password attacks. Three attacks were simulated (Guessing, Intersection, and Shoulder-surfing), and the results showed that nearly 98% of the 690 attempts failed to compromise the system.     

图形密码身份认证方案设计及其安全性分析

为了解决身份认证方案中口令的安全性和易记忆性的矛盾,针对传统的字符式口令的诸多缺点,提出了结合新型图形密码的身份认证参考方案.在图形密码设计原则下,依据基于识别型和基于记忆型的设计思想,提出图形密码身份认证参照方案,并将图形密码的安全性与文本密码进行比较,分析了图形密码的密钥空间和抵抗常见口令攻击的能力.经分析多数图形密码在易记忆性和安全性方面优于传统密码.     

一种有效的图像口令身份认证方案

分析和比较一次性口令和图像口令的相关技术,指出在开放网络环境下进行身份认证时,图像口令存在的缺陷,并论证采用一次性口令弥补该缺陷的可行性和可靠性。基于一次性口令产生的会话密钥,设计一种有效的图像口令身份认证方案。该方案提高口令的安全性,能够防止窥探攻击和重放攻击。类似技术被应用于更加灵活的实际环境中,并增强了应用系统的安全性。     

A Usable and Secure Two-Factor Authentication Scheme

ABSTRACT

There are many secure authentication schemes that are secure but difficult to use. Most existing network applications authenticate users with a username and password pair. Such systems using the reusable passwords are susceptible to attacks based on the theft of password. Each scheme has its merits and drawbacks (Misbahuddin, Aijaz Ahmed, & Shastri, 2006 Misbahuddin, M., Aijaz Ahmed, M. and Shastri, M. H. 2006. A simple and efficient solution to remote user authentication using smart cards. Proceedings of IEEE Conference on Innovations in Information Technology, : 1–5.  [Google Scholar]). To overcome the susceptibility in the existing applications, there is an authentication mechanism known as Two-Factor Authentication. Two-Factor Authentication is a process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. It is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. The proposed scheme allows users to freely choose their PassFile (file password) instead of remembering the password, eliminating the problem of entering the reusable password and remembering the password. In this scheme, we proposed an efficient scheme for remote user authentication. It does not maintain verifier table and allows the user to freely choose and change their passwords. The proposed scheme provides best usability for the user in terms of PassFile without changing the existing protocol. This approach uses a smart card and is secure against identity theft, guessing attack, insider attack, stolen verifier attack, replay attack, impersonation attack, and reflection attack. The proposed achieves the mutual authentication essential for many applications.     

Vulnerability Analysis of the Grid Data Security Authentication System

ABSTRACT

A password-based authentication is still the most prevalent authentication method because of its convenience and easy implementations. Since a password is transmitted via network, it has an inherent vulnerability of password exposure to an attacker. A one-time password system reduces the risk of a security breach even when a password is exposed to an attacker, because the password is only meaningful at a given time. A grid data security system uses a technology, GridOne?, which allows the use of a one-time password without requiring preinstalled hardware or software infrastructures, and it provides strong security over conventional password-based authentication systems. We analyzed the weakness of the grid data security authentication system and provide a suggestion to compensate for its vulnerability.     

A Human-Cognitive Perspective of Users’ Password Choices in Recognition-Based Graphical Authentication

ABSTRACT

Graphical password composition is an important part of graphical user authentication which affects the strength of the chosen password. Considering that graphical authentication is associated with visual search, perception, and information retrieval, in this paper we report on an eye-tracking study (N = 109) that aimed to investigate the effects of users’ cognitive styles toward the strength of the created passwords and shed light into whether and how the visual strategy of the users during graphical password composition is associated with the passwords’ strength. For doing so, we adopted Witkin’s Field Dependence-Independence theory, which underpins individual differences in visual information and cognitive processing, as graphical password composition tasks are associated with visual search. The analysis revealed that users with different cognitive processing characteristics followed different patterns of visual behavior during password composition which affected the strength of the created passwords. The findings underpin the need of considering human-cognitive characteristics as a design factor in graphical password schemes. The paper concludes by discussing implications for improving recognition-based graphical passwords through adaptation and personalization techniques based on individual cognitive characteristics.     

基于动态口令的身份认证机制及其安全性分析

身份认证是网络安全技术的一个重要组成部分，文章在基于挑战／应答认证机制的基础上提出了基于动态口令的认证机制，并对的安全性进行了剖析。     

ARM平台基于改进视觉密码认证系统的设计与实现

合法用户的身份认证在信息安全中起着非常重要的作用,以静态口令为基础的传统认证方式正面临多种安全隐患。基于视觉密码技术的原理和特点,从使用安全性方面提出改进算法,实现了一套完整的一次一密身份口令认证方案,使得认证过程更加安全可靠。系统采用双因素认证方式,将指纹识别技术和视觉密码技术相结合,进一步提高安全性,并最终在AM3517实验平台上实现。实测表明,该系统操作简单、认证过程安全可靠、易扩展、使用成本低,具有广阔的应用前景。     

基于成绩管理系统中ECC一次性口令的身份认证方案

本文阐述了椭圆曲线密码体制的基本原理及其优点,介绍了一次性口令认证技术的原理,分析了S/Key一次性口令系统。利用ECC密码体制对现有的一次口令系统进行改进,实现了成绩管理系统中双向认证的一次性口令认证方案,在运算速度和存储空间方面相对其它身份认证方案有较大的优势。     

基于智能卡的远程口令认证方案的研究

基于RSA密码系统和安全单向的哈希函数,提出了一种相对安全的远程口令认证方案。采用个人身份识别码(PIN)与智能卡相结合的双因素认证方式,用户不但可以自主选取用户口令,而且还可以根据自身的需要随时更新口令,极大地增强了系统的安全性,提高了系统的认证效率。     

基于智能卡的远程口令认证方案的研究

基于RSA密码系统和安全单向的哈希函数,提出了一种相对安全的远程口令认证方案。采用个人身份识别码（PIN）与智能卡相结合的双因素认证方式,用户不但可以自主选取用户口令,而且还可以根据自身的需要随时更新口令,极大地增强了系统的安全性,提高了系统的认证效率。     

An Enhanced Graphical Authentication Scheme Using Multiple-Image Steganography

Most remote systems require user authentication to access resources. Text-based passwords are still widely used as a standard method of user authentication. Although conventional text-based passwords are rather hard to remember, users often write their passwords down in order to compromise security. One of the most complex challenges users may face is posting sensitive data on external data centers that are accessible to others and do not be controlled directly by users. Graphical user authentication methods have recently been proposed to verify the user identity. However, the fundamental limitation of a graphical password is that it must have a colorful and rich image to provide an adequate password space to maintain security, and when the user clicks and inputs a password between two possible grids, the fault tolerance is adjusted to avoid this situation. This paper proposes an enhanced graphical authentication scheme, which comprises benefits over both recognition and recall-based graphical techniques besides image steganography. The combination of graphical authentication and steganography technologies reduces the amount of sensitive data shared between users and service providers and improves the security of user accounts. To evaluate the effectiveness of the proposed scheme, peak signal-to-noise ratio and mean squared error parameters have been used.     

Personal authentication using digital retinal images

Traditional authentication (identity verification) systems, used to gain access to a private area in a building or to data stored in a computer, are based on something the user has (an authentication card, a magnetic key) or something the user knows (a password, an identification code). However, emerging technologies allow for more reliable and comfortable user authentication methods, most of them based on biometric parameters. Much work could be found in the literature about biometric-based authentication, using parameters like iris, voice, fingerprints, face characteristics, and others. In this work a novel authentication method is presented and preliminary results are shown. The biometric parameter employed for the authentication is the retinal vessel tree, acquired through retinal digital images, i.e., photographs of the fundus of the eye. It has already been asserted by expert clinicians that the configuration of the retinal vessels is unique for each individual and that it does not vary during his life, so it is a very well-suited identification characteristic. Before the verification process can be executed, a registration step is required to align both the reference image and the picture to be verified. A fast and reliable registration method is used to perform this step, so that the whole authentication process takes about 0.3 s.     

WIFI无线登录安全性研究

一直以来,无线网络的安全问题都备受关注,其中认证是保证信息安全的一个重要环节。目前无线认证有多种方式,比如Radius认证,Web认证,端口认证等,本文通过调研分析Radius认证与Web认证两种无线认证方式,来比较在家庭路由认证状态下,两者的性能差异,从而更好的解决目前普遍存在的弱密码问题。     

一种基于Smart Card的远程用户身份验证方案的安全性讨论

身份验证是计算机通信的一个重要方面。由于密码验证协议的简单性,它已经被广泛地用于身份验证。最近,Lee氏等利用Smart Card,提出了一个基于随机数的远程用户验证方案。指出了这个方案并不像其提出者所声称的那样安全,同时提出了两种攻击方法以破解其验证方案。     

一种基于指纹特征的远程通行字双向认证方案

提出了一种基于指纹特征并且不泄露指纹特征的远程通行字双向认证方案。在该方案中,根据用户的指纹特征生成通行字,系统服务器中不存储用户指纹模板库,也不存储通行字表,系统管理员无法推导出用户的指纹特征,入侵者不能导出任何用户的通行字和任何保密信息,系统可对来访的用户进行认证,用户也可以对系统的真实性进行认证;该方案能抵御重试攻击,能防止系统内部人员伪造访问记录。     

SMAE：一种新型认证加密算法

认证加密算法能够同时保障数据的保密性和完整性。以国标对称密码SM4算法为基础,提出一种新型认证加密算法SMAE。SMAE是一种单程专用的认证加密算法,通过将认证码的生成模块与SM4的轮函数结合,并改进了加密模块,使得算法在初始化阶段、加密阶段以及认证码生成阶段可以共享数据和部分算法,最大程度地减少计算资源消耗。SMAE的正确性分析和安全性分析结果表明该算法能够正确进行加解密运算,抵抗当前主流密码攻击。同时,通过与SM4和AEGIS的效率实验对比表明该算法与SM4有所降低,与AEGIS效率相当,具备实用性。     

异构网络切换中认证机制优化的研究

基于网络接入认证承协议与可扩展认证协议相结合的网络层认证架构,采用预认证与认证关联证书相结合,提出一种能够减少异构网络间切换中认证时延的网络层联合认证机制优化方法。通过与IEEE802.11i预认证、网络层辅助链路层预认证2种认证优化方法进行仿真比较,表明其有效降低异构网络间切换认证时延。     

SA3: Self-adaptive anonymous authentication for dynamic authentication policies

Authentication is a procedure by which a client convinces the service provider about a claimed property under a given authentication policy. Anonymous authentication has an added property: protect the real identity of the client. In this paper, we study the situations with dynamic authentication policies, commonly seen in large scale systems such as cloud computing. While this is not a significant issue for classic authentication where client anonymity is not a concern, it will introduce an array of difficulties to anonymous authentication which have not been formally investigated. To address this issue, we propose the notion of SA³: Self-Adaptive Anonymous Authentication. The related models are presented together with a generic design from attribute-based signatures.     

REMARKS ON A DIGITAL SIGNATURE SCHEME

Abstract

Password authentication is a type of authentication protocol for communications over an insecure network. Recently, Kim, Jeon, and Yoo gave an improvement of Yang-Shieh password authentication schemes to resist an existing forgery attack. However, in this paper, we construct a new forgery attack and show that Kim-Jeon-Yoo schemes are not secure under our attack.