Lighting Two Candles With One Flame: An Unaided Human Identification Protocol With Security Beyond Conventional Limit

Designing an efficient protocol for avoiding the threat of recording based attack in presence of a powerful eavesdropper remains a challenge for more than two decades. During authentication, the absence of any secure link between the prover and verifier makes things even more vulnerable as, after observing a threshold challenge-response pair, users' secret may easily get derived due to information leakage. Existing literature only present new methodologies with ensuring superior aspects over previous ones, while ignoring the aspects on which their proposed schemes cope poorly. Unsurprisingly, most of them are far from satisfactory - either are found far from usable or lack of security features. To overcome this issue, we first introduce the concept of "leakage control" which puts a bar on the natural information leakage rate and greatly helps in increasing both the usability and security standards. Not just prevention, but also, by introducing the threat detection strategy (based on the concept of honeyword), our scheme "lights two candles". It not only eliminates the long terms security and usability conflict under the practical scenario, but along with threat detection from the client side, it is capable of protecting the secret at the server side under the distributed framework, and thus, guaranteeing security beyond the conventional limit.

[1]  Ning Zhang,et al.  A survey on touch dynamics authentication in mobile devices , 2016, Comput. Secur..

[2]  Jamie I. D. Campbell,et al.  Cognitive arithmetic across cultures. , 2001, Journal of experimental psychology. General.

[3]  Shujun Li,et al.  Cryptanalysis of the convex hull click human identification protocol , 2010, International Journal of Information Security.

[4]  Zhen Ling,et al.  Password Extraction via Reconstructed Wireless Mouse Trajectory , 2016, IEEE Transactions on Dependable and Secure Computing.

[5]  Patrick Olivier,et al.  Multi-touch authentication on tabletops , 2010, CHI.

[6]  Luigi Catuogno,et al.  A honeypot system with honeyword-driven fake interactive sessions , 2015, 2015 International Conference on High Performance Computing & Simulation (HPCS).

[7]  David Griffiths,et al.  Shoulder surfing defence for recall-based graphical passwords , 2011, SOUPS.

[8]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[9]  Ping Wang,et al.  Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound , 2018, IEEE Transactions on Dependable and Secure Computing.

[10]  Robert H. Deng,et al.  On Limitations of Designing Leakage-Resilient Password Systems: Attacks, Principals and Usability , 2012, NDSS.

[11]  F. Cohen The Use of Deception Techniques : Honeypots and Decoys , 2004 .

[12]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[13]  Wanli Ma,et al.  Password Entropy and Password Quality , 2010, 2010 Fourth International Conference on Network and System Security.

[14]  Robert H. Deng,et al.  Leakage-resilient password entry: Challenges, design, and evaluation , 2015, Comput. Secur..

[15]  Minchul Kim,et al.  A modified exhaustive search on a password system using SHA-1 , 2016, International Journal of Information Security.

[16]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[17]  Nitesh Saxena,et al.  Keyboard acoustic side channel attacks: exploring realistic and security-sensitive scenarios , 2014, International Journal of Information Security.

[18]  G. Woodman,et al.  Visual search is slowed when visuospatial working memory is occupied , 2004, Psychonomic bulletin & review.

[19]  Taekyoung Kwon,et al.  Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful Than Expected , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[20]  Imran Erguler,et al.  Achieving Flatness: Selecting the Honeywords from Existing User Passwords , 2016, IEEE Transactions on Dependable and Secure Computing.

[21]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[22]  Georgios Kambourakis,et al.  Introducing touchstroke: keystroke-based authentication system for smartphones , 2016, Secur. Commun. Networks.

[23]  Daphna Weinshall,et al.  Passwords you'll never forget, but can't recall , 2004, CHI EA '04.

[24]  Yingjiu Li,et al.  On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability , 2012, NDSS 2012.

[25]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[26]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[27]  Volker Roth,et al.  Pitfalls of Shoulder Surfing Studies , 2015 .

[28]  Samrat Mondal,et al.  Color Pass: An intelligent user interface to resist shoulder surfing attack , 2014, Proceedings of the 2014 IEEE Students' Technology Symposium.

[29]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[30]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[31]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[32]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[33]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[34]  S. Sternberg Memory-scanning: mental processes revealed by reaction-time experiments. , 1969, American scientist.

[35]  W. Kintsch,et al.  Differential effects of study and test trials on long-term recognition and recall , 1971 .

[36]  高田哲司,et al.  "Exploring the Design Space of Graphical Passwords on Smartphones"の紹介 , 2013 .

[37]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[38]  Douglas Stebila,et al.  Secure modular password authentication for the web using channel bindings , 2014, International Journal of Information Security.

[39]  Ahmad-Reza Sadeghi,et al.  On the Security of PAS (Predicate-Based Authentication Service) , 2009, 2009 Annual Computer Security Applications Conference.

[40]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[41]  Mario Cagalj,et al.  Timing Attacks on Cognitive Authentication Schemes , 2015, IEEE Transactions on Information Forensics and Security.

[42]  Angelos D. Keromytis,et al.  SAuth: protecting user accounts from password database leaks , 2013, CCS.

[43]  Simon Marechal Advances in password cracking , 2007, Journal in Computer Virology.

[44]  G. Woodman,et al.  The role of working memory and long-term memory in visual search , 2006 .

[45]  L. Corbin,et al.  Effect of a simple experimental control: The recall constraint in Sternberg's memory scanning task , 2008 .

[46]  R. Shiffrin,et al.  Retrieval processes in recognition and cued recall. , 2001, Journal of experimental psychology. Learning, memory, and cognition.