On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries | Frontiers of Computer Science Skip to main content
Springer Nature Link
Log in

On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries

  • Research Article
  • Published:
Frontiers of Computer Science Aims and scope Submit manuscript

Abstract

Unaided authentication services provide the flexibility to login without being dependent on any additional device. The power of recording attack resilient unaided authentication services (RARUAS) is undeniable as, in some aspects, they are even capable of offering better security than the biometric based authentication systems. However, high login complexity of these RARUAS makes them far from usable in practice. The adopted information leakage control strategies have often been identified as the primary cause behind such high login complexities. Though recent proposals have made some significant efforts in designing a usable RARUAS by reducing its login complexity, most of them have failed to achieve the desired usability standard. In this paper, we have introduced a new notion of controlling the information leakage rate. By maintaining a good security standard, the introduced idea helps to reduce the login complexity of our proposed mechanism — named as Textual-Graphical Password-based Mechanism or TGPM, by a significant extent. Along with resisting the recording attack, TGPM also achieves a remarkable property of threat detection. To the best of our knowledge, TGPM is the first RARUAS, which can both prevent and detect the activities of the opportunistic recording attackers who can record the complete login activity of a genuine user for a few login sessions. Our study reveals that TGPM assures much higher session resiliency compared to the existing authentication services, having the same or even higher login complexities. Moreover, TGPM stores the password information in a distributed way and thus restricts the adversaries to learn the complete secret from a single compromised server. A thorough theoretical analysis has been performed to prove the strength of our proposal from both the security and usability perspectives. We have also conducted an experimental study to support the theoretical argument made on the usability standard of TGPM.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bonneau J, Cormac H, Paul C, Van O, Stajano F. The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 553–567

  2. Pan X, Ling Z, Pingley A, Yu W, Zhang N, Ren K, Fu X. Password extraction via reconstructed wireless mouse trajectory. IEEE Transactions on Dependable and Secure Computing, 2016, 13(4): 461–473

    Article  Google Scholar 

  3. Wang D, Zhang Z, Wang P, Yan J, Huang X. Targeted online password guessing: an underestimated threat. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security. 2016, 1242–1254

  4. Manulis M, Stebila D, Kiefer F, Denham N. Secure modular password authentication for the web using channel bindings. International Journal of Information Security, 2016, 15(6): 597–620

    Article  Google Scholar 

  5. Kontaxis G, Athanasopoulos E, Portokalidis G, Keromytis D A. Sauth: protecting user accounts from password database leaks. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 187–198

  6. Yan Q, Han J, Li Y, Zhou J, Deng R. Leakage-resilient password entry: challenges, design, and evaluation. Computers & Security, 2015, 48(1): 196–211

    Article  Google Scholar 

  7. Bai X, Gu W, Chellappan S, Wang X, Xuan D, Ma B. PAS: predicate-based authentication services against powerful passive adversaries. In: Proceedings of the IEEE Computer Security Applications Conference. 2008, 433–442

  8. Sun M H, Chen T S, Yeh H J, Cheng Y C. A shoulder surfing resistant graphical authentication system. IEEE Transactions on Dependable and Secure Computing, 2018, 15(2): 180–193

    Article  Google Scholar 

  9. Wiese O, Roth V. Pitfalls of shoulder surfing studies. In: Proceedings of the Internet Society NDSS Workshop on Usable Security. 2015, 1–6

  10. Kim D, Dunphy P, Briggs P, Hook J, Nicholson W J, Nicholson J, Olivier P. Multi-touch authentication on tabletops. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2010, 1093–1102

  11. Schaub F, Walch M, Könings B, Weber M. Exploring the design space of graphical passwords on smartphones. In: Proceedings of the ACM Symposium on Usable Privacy and Security. 2013, 1–14

  12. Tari F, Ozok A, Holden S. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: Proceedings of the ACM Symposium on Usable Privacy and Security. 2006, 56–66

  13. Schaub F, Deyhle R, Weber M. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In: Proceedings of the ACM International Conference on Mobile and Ubiquitous Multimedia. 2012, 1–13

  14. Wiedenbeck S, Waters J, Sobrado L, Birget C J. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the ACM Working Conference on Advanced Visual Interfaces. 2006, 177–184

  15. Zhao H, Li X. S3PAS: a scalable shoulder-surfing resistant textual-graphical password authentication scheme. In: Proceedings of the IEEE Advanced Information Networking and Applications Workshops. 2007, 467–472

  16. Čagalj M, Perković T, Bugarić M. Timing attacks on cognitive authentication schemes. IEEE Transactions on Information Forensics and Security, 2015, 10(3): 584–596

    Article  Google Scholar 

  17. Yan Q, Han J, Li Y, Deng H R. On limitations of designing leakage-resilient password systems: attacks, principals and usability. In: Proceedings of the Annual Network and Distributed System Security Symposium. 2012, 1–16

  18. Weir M, Aggarwal S, Collins M, Stern H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the ACM Conference on Computer and Communications Security. 2010, 162–175

  19. Forouzan B, Mukhopadhyay D. Cryptography and Network Security. 2nd ed. India: McGraw-Hill Education, 2011

    Google Scholar 

  20. Matsumoto T, Imai H. Human identification through insecure channel. In: Proceedings of Advances in Cryptology-EUROCRYPT, 91. 1991, 409–421

  21. Chakraborty N, Mondal S. Towards incorporating honeywords in n-session recording attack resilient unaided authentication services. IET Information Security, 2018, 13(1): 7–18

    Article  Google Scholar 

  22. Asghar J H, Pieprzyk J, Wang H. A new human identification protocol and coppersmith’s baby-stepgiant-step algorithm. In: Proceedings of the International Conference on Applied Cryptography and Network Security. 2010, 349–366

  23. De Luca A, Hertzschuch K, Hussmann H. Colorpin: securing pin entry through indirect input. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2010, 1103–1106

  24. Hopper N J, Blum M. Secure human identification protocols. In: Proceedings of Advances in Cryptology-ASIACRYPT 2001. 2001, 52–66

  25. Juels A, Rivest R L. Honeywords: making password-cracking detectable. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 145–160

  26. Camenisch J, Lehmann A, Neven G. Optimal distributed password verification. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2015, 182–194

  27. Weinshall D. Cognitive authentication schemes safe against spyware. In: Proceedings of the IEEE Symposium on Security and Privacy. 2006, 6–11

  28. De Luca A. Designing usable and secure authentication mechanisms for public spaces. LMU, PhD Thesis, 2011

  29. Roth V, Richter K, Freidinger R. A PIN-entry method resilient against shoulder surfing. In: Proceedings of the ACM Conference on Computer and Communications Security. 2004, 236–245

  30. Kwon T, Shin S, Na S. Covert attentional shoulder surfing: human adversaries are more powerful than expected. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2014, 44(6): 716–727

    Article  Google Scholar 

  31. Florêncio D, Herley C, Coskun B. Do strong web passwords accomplish anything? In: Proceedings of USENIX Workshop on Hot Topics in Security. 2007, 1–6

  32. Sasamoto H, Christin N, Hayashi E. Undercover: authentication usable in front of prying eyes. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2008, 183–192

  33. Broder A, Mitzenmacher M. Network applications of bloom filters: a survey. Internet Mathematics, 2004, 1(4): 485–509

    Article  MathSciNet  MATH  Google Scholar 

  34. Do Q, Martini B, Choo R K. The role of the adversary model in applied security research. Computers & Security, Elsevier, 2019, 81(4): 156–181

    Article  Google Scholar 

  35. Goldwasser S, Micali S. Probabilistic encryption. Journal of Computer and System Sciences, 1984, 28(2): 270–299

    Article  MathSciNet  MATH  Google Scholar 

  36. Phan D H, Pointcheval D. About the security of ciphers (semantic security and pseudo-random permutations). In: Proceedings of the International Workshop on Selected Areas in Cryptography. 2004, 182–197

  37. Koblitz N, Alfred J M. Another look at “provable security”. Journal of Cryptology Springer, 2007, 20(1): 3–37

    Article  MathSciNet  MATH  Google Scholar 

  38. Wagner D, Goldberg I. Proofs of security for the UNIX password hashing algorithm. In: Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. 2000, 560–572

  39. Kamara S. Encrypted search. ACM Crossroads, 2015, 21(3): 30–34

    Article  Google Scholar 

  40. Das A, Bonneau J, Caesar M, Borisov N, Wang X. The tangled web of password reuse. In: Proceedings of the Annual Network and Distributed System Security Symposium. 2014, 1–16

  41. Sternberg S. Memory-scanning: mental processes revealed by reaction-time experiments. American Scientist, 1969, 57(4): 421–457

    Google Scholar 

  42. Nobel A P, Shiffrin M R. Retrieval processes in recognition and cued recall. Journal of Experimental Psychology: Learning, Memory, and Cognition American Psychological Association, 2001, 27(2): 384

    Google Scholar 

  43. Woodman G F, Chun M M. The role of working memory and long-term memory in visual search. Visual Cognition Taylor & Francis, 2006, 14(4–8): 808–830

    Article  Google Scholar 

  44. Campbell J, Xue Q. Cognitive arithmetic across cultures. American Psychological Association Journal of Experimental Psychology: General, 2001, 130(2): 299–315

    Google Scholar 

  45. Corbin L, Marquer J. Effect of a simple experimental control: the recall constraint in sternberg’s memory scanning task. European Journal of Cognitive Psychology Taylor & Francis, 2008, 20(5): 913–935

    Article  Google Scholar 

  46. Woodman G F, Luck S J. Visual search is slowed when visuospatial working memory is occupied. Psychonomic Bulletin & Review Springer, 2004, 11(2): 269–274

    Article  Google Scholar 

  47. Hogan R M, Kintsch W. Differential effects of study and test trials on long-term recognition and recall. Journal of Verbal Learning and Verbal Behavior Elsevier, 1971, 10(5): 562–567

    Article  Google Scholar 

  48. Teh P S, Zhang N, Teoh A B J, Chen K. A survey on touch dynamics authentication in mobile devices. Computers & Security Elsevier, 2016, 59(1): 210–235

    Article  Google Scholar 

  49. Kambourakis G, Damopoulos D, Papamartzivanos D, Pavlidakis E. Introducing touchstroke: keystroke-based authentication system for smart-phones. Security and Communication Networks Hindawi, 2016, 9(6): 542–554

    Article  Google Scholar 

  50. Asghar H J, Li S, Pieprzyk J, Wang H. Cryptanalysis of the convex hull click human identification protocol. International Journal of Information Security Springer, 2013, 12(2): 83–96

    Article  MATH  Google Scholar 

  51. Li S, Asghar H J, Pieprzyk J, Sadeghi A R, Schmitz R, Wang H. On the security of PAS (Predicate-based authentication service). In: Proceedings of the IEEE Computer Security Applications Conference. 2009, 209–218

  52. Wang D, Cheng H, Wang P, Huang X, Jian G. Zipf’s law in passwords. IEEE Transactions on Information Forensics and Security, 2017 12(11): 2776–2791

    Article  Google Scholar 

  53. Luby M, Rackoff C. A study of password security. In: Proceedings of Conference on the Theory and Application of Cryptographic Techniques. 1987, 392–397

Download references

Author information

Authors and Affiliations

  1. College of Computer Science and Software Engineering, Shenzhen University, Shenzhen, 518060, China

    Nilesh Chakraborty

  2. Department of Computer Science, Indian Institute of Technology Patna, Bihar, 801106, India

    Samrat Mondal

Authors
  1. Nilesh Chakraborty
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Samrat Mondal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nilesh Chakraborty.

Additional information

Nilesh Chakraborty received the Master degree and the PhD degree from National Institute of Technology (NIT) Durgapur, India in 2013 and Indian Institute of Technology (IIT) Patna, India in 2018, respectively. He is currently working as a Postdoctoral fellow in Shenzhen University, China. During his PhD, he successfully completed a security project funded by Science & Engineering Research Board (SERB), Government of India. His primary research topic includes authentication and usable security.

Samrat Mondal received the PhD degree from School of IIT Kharagpur, India in 2010. He is working as an assistant professor in the Department of Computer Science and Engineering, IIT Patna, India since 2010. He has also served as a Visiting Associate Professor at the University of Denver, USA for 11 months. His primary research interests include security & privacy, database & data mining and smart energy management related applications. Dr. Mondal has served as a reviewer of journals like IEEE TDSC, Computers & Security, etc. He has received research grants from the Science and Engineering Research Board (SERB), Government of India on multiple occasions. He is also a Senior Member of IEEE since 2019.

Electronic supplementary material

11704_2019_9134_MOESM1_ESM.pdf

On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chakraborty, N., Mondal, S. On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries. Front. Comput. Sci. 15, 152803 (2021). https://doi.org/10.1007/s11704-019-9134-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11704-019-9134-9

Keywords

Search

Navigation