Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound

As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.

[1]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[2]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[3]  Xiong Li,et al.  A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof , 2015, Secur. Commun. Networks.

[4]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[5]  Xun Yi,et al.  Efficient Two-Server Password-Only Authenticated Key Exchange , 2013, IEEE Transactions on Parallel and Distributed Systems.

[6]  Wen-Bing Horng,et al.  A secure remote authentication scheme preserving user anonymity with non-tamper resistant smart cards , 2010 .

[7]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[8]  Fan Wu,et al.  An improved and provable remote user authentication scheme based on elliptic curve cryptosystem with user anonymity , 2015, Secur. Commun. Networks.

[9]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[10]  Chunguang Ma,et al.  Security flaws in two improved remote user authentication schemes using smart cards , 2014, Int. J. Commun. Syst..

[11]  Andrew Warfield,et al.  Cloud security: a gathering storm , 2014, CACM.

[12]  Sandeep K. Sood,et al.  Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards , 2011, Inf. Secur. J. A Glob. Perspect..

[13]  Sourav Mukhopadhyay,et al.  A secure password-based authentication and key agreement scheme using smart cards , 2015, J. Inf. Secur. Appl..

[14]  Robert H. Deng,et al.  On Limitations of Designing Leakage-Resilient Password Systems: Attacks, Principals and Usability , 2012, NDSS.

[15]  Minh-Triet Tran,et al.  Chaotic Chebyshev Polynomials Based Remote User Authentication Scheme in Client-Server Environment , 2015, SEC.

[16]  Ping Wang,et al.  Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards , 2013, ISC.

[17]  Vanga Odelu,et al.  A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards , 2015, IEEE Transactions on Information Forensics and Security.

[18]  Jianhua Li,et al.  Anonymity Enhancement on Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards , 2010, IEEE Transactions on Industrial Electronics.

[19]  Fabrice Benhamouda,et al.  Security of the J-PAKE Password-Authenticated Key Exchange Protocol , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Michael Scott,et al.  Implementing Cryptographic Pairings on Smartcards , 2006, CHES.

[21]  Mike Bond,et al.  Chip and Skim: Cloning EMV Cards with the Pre-play Attack , 2012, 2014 IEEE Symposium on Security and Privacy.

[22]  Jia-Lun Tsai,et al.  Novel Anonymous Authentication Scheme Using Smart Cards , 2013, IEEE Transactions on Industrial Informatics.

[23]  Ping Wang,et al.  On the Implications of Zipf's Law in Passwords , 2016, ESORICS.

[24]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[25]  Jan Camenisch,et al.  Optimal Distributed Password Verification , 2015, CCS.

[26]  Muhammad Khurram Khan,et al.  An enhanced privacy preserving remote user authentication scheme with provable security , 2015, Secur. Commun. Networks.

[27]  Jin Wook Byun,et al.  Privacy preserving smartcard-based authentication system with provable security , 2015, Secur. Commun. Networks.

[28]  Nitesh Saxena,et al.  Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices , 2014, NDSS.

[29]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[30]  Cheng-Chi Lee,et al.  A Robust Remote User Authentication Scheme Using Smart Card , 2011, Inf. Technol. Control..

[31]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[32]  Chun-I Fan,et al.  Robust remote authentication scheme with smart cards , 2005, Comput. Secur..

[33]  Pascal Lorenz,et al.  User authentication scheme preserving anonymity for ubiquitous devices , 2015, Secur. Commun. Networks.

[34]  Ping Wang,et al.  The Emperor's New Password Creation Policies: An Evaluation of Leading Web Services and the Effect of Role in Resisting Against Online Guessing , 2015, ESORICS.

[35]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[36]  Wei Sun,et al.  Small Tweaks Do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards , 2015, ESORICS.

[37]  Da-Zhi Sun,et al.  On the Privacy of Khan et al.'s Dynamic ID-Based Remote Authentication Scheme with User Anonymity , 2013, Cryptologia.

[38]  Ping Wang,et al.  Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity , 2015, Inf. Sci..

[39]  Peng Wu,et al.  Secure password-based remote user authentication scheme with non-tamper resistant smart cards , 2012, IACR Cryptol. ePrint Arch..

[40]  Yongge Wang,et al.  Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks , 2012, IACR Cryptol. ePrint Arch..

[41]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[42]  Yingjiu Li,et al.  On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability , 2012, NDSS 2012.

[43]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..

[44]  Debiao He,et al.  Improvement on a Smart Card Based Password Authentication Scheme , 2012 .

[45]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[46]  Xiaotie Deng,et al.  Two-factor mutual authentication based on smart cards and passwords , 2008, J. Comput. Syst. Sci..

[47]  John Bohannon Privacy. Credit card study blows holes in anonymity. , 2015, Science.

[48]  Jianfeng Ma,et al.  Improvement of robust smart‐card‐based password authentication scheme , 2015, Int. J. Commun. Syst..

[49]  Feng Hao On robust key agreement based on public key authentication , 2014 .

[50]  Ping Wang,et al.  Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment , 2015, IEEE Transactions on Dependable and Secure Computing.

[51]  Xiong Li,et al.  An enhanced smart card based remote user password authentication scheme , 2013, J. Netw. Comput. Appl..

[52]  Lorie M. Liebrock,et al.  Using Fingerprint Authentication to Reduce System Security: An Empirical Study , 2011, 2011 IEEE Symposium on Security and Privacy.

[53]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[54]  Muhammad Khurram Khan,et al.  Cryptanalysis and improvement of ‘a robust smart‐card‐based remote user password authentication scheme’ , 2014, Int. J. Commun. Syst..

[55]  Ronggong Song Advanced smart card based password authentication protocol , 2010, Comput. Stand. Interfaces.

[56]  Ping Wang,et al.  On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions , 2014, Comput. Networks.

[57]  Chunhua Su,et al.  Two robust remote user authentication protocols using smart cards , 2010, J. Syst. Softw..

[58]  Wen-Shenq Juang,et al.  Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards , 2008, IEEE Transactions on Industrial Electronics.

[59]  Wei-Bin Lee,et al.  A new method for using hash functions to solve remote user authentication , 2008, Comput. Electr. Eng..

[60]  Elisa Bertino,et al.  Robust Multi-Factor Authentication for Fragile Communications , 2014, IEEE Transactions on Dependable and Secure Computing.

[61]  Yi Mu,et al.  An Efficient Generic Framework for Three-Factor Authentication With Provably Secure Instantiation , 2014, IEEE Transactions on Information Forensics and Security.

[62]  Lih-Chyau Wuu,et al.  Robust smart‐card‐based remote user password authentication scheme , 2014, Int. J. Commun. Syst..

[63]  R. C. Mittal,et al.  Dynamic ID-based remote user password authentication schemes using smart cards: A review , 2012, J. Netw. Comput. Appl..

[64]  Yuefei Zhu,et al.  Robust smart-cards-based user authentication scheme with user anonymity , 2012, Secur. Commun. Networks.

[65]  W M Ross Whats in a name? , 1989, Clinical radiology.

[66]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[67]  Jizhou Sun,et al.  Improvements of Juang 's Password-Authenticated Key Agreement Scheme Using Smart Cards , 2009, IEEE Transactions on Industrial Electronics.

[68]  Juan Qu,et al.  An Improved Dynamic ID-Based Remote User Authentication with Key Agreement Scheme , 2013, J. Electr. Comput. Eng..

[69]  Rafail Ostrovsky,et al.  Efficient and secure authenticated key exchange using weak passwords , 2009, JACM.

[70]  Emmanuel Bresson,et al.  Security proofs for an efficient password-based key exchange , 2003, CCS '03.

[71]  Peilin Hong,et al.  A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture , 2012, J. Comput. Syst. Sci..

[72]  Min Gyo Chung,et al.  More secure remote user authentication scheme , 2009, Comput. Commun..

[73]  Li Xu,et al.  Further Observations on Smart-Card-Based Password-Authenticated Key Agreement in Distributed Systems , 2014, IEEE Transactions on Parallel and Distributed Systems.

[74]  Rajaram Ramasamy,et al.  New Remote Mutual Authentication Scheme using Smart Cards , 2009, Trans. Data Priv..

[75]  Chin-Laung Lei,et al.  Robust authentication and key agreement scheme preserving the privacy of secret key , 2011, Comput. Commun..

[76]  Ping Wang,et al.  The Request for Better Measurement: A Comparative Evaluation of Two-Factor Authentication Schemes , 2016, AsiaCCS.

[77]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[78]  SK Hafizul Islam,et al.  Design and analysis of an improved smartcard‐based remote user password authentication scheme , 2016, Int. J. Commun. Syst..

[79]  Zhenfu Cao,et al.  Efficient remote user authentication scheme using smart card , 2005, Comput. Networks.

[80]  Ping Wang,et al.  Zipf’s Law in Passwords , 2017, IEEE Transactions on Information Forensics and Security.

[81]  Wei-Chi Ku,et al.  Weaknesses and improvement of Wang et al.'s remote user password authentication scheme for resource-limited environments , 2009, Comput. Stand. Interfaces.

[82]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.