Extending web applications with a lightweight zero knowledge proof authentication

User authentication is a crucial requirement for secure transactions and access to the sensitive resources on the Web. We propose, implement and evaluate a Zero-Knowledge Proof Authentication (ZKP) algorithm based on isomorphic graphs. The proposed mechanism allows for authentication with varying confidence and security levels. We suggest that most of the computations should be carried out by the user's web browser without revealing password or login at any point in time; instead generated random isomorphic graphs and permutation functions based on the user login/password can be exchanged. Our experimental evaluation shows that by combining the asynchronous web with ZKP protocols, it is feasible to satisfy existing usability standards on the web.

[1]  Robert B. Miller,et al.  Response time in man-computer conversational transactions , 1899, AFIPS Fall Joint Computing Conference.

[2]  D. Corneil,et al.  An Efficient Algorithm for Graph Isomorphism , 1970, JACM.

[3]  Paul Erdös,et al.  Random Graph Isomorphism , 1980, SIAM J. Comput..

[4]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[5]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[6]  Hugh C Williams,et al.  Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85 , 1986 .

[7]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[8]  Uwe Schöning Graph Isomorphism is in the Low Hierarchy , 1988, J. Comput. Syst. Sci..

[9]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[11]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[12]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[13]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[14]  Allan Kuchinsky,et al.  Quality is in the eye of the beholder: meeting users' requirements for Internet quality of service , 2000, CHI.

[15]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[16]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[17]  José Carlos Brustoloni,et al.  Hardening Web browsers against man-in-the-middle and eavesdropping attacks , 2005, WWW '05.

[18]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[19]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[20]  Reiner Czerwinski A Polynomial Time Algorithm for Graph Isomorphism , 2007, ArXiv.