Neural Network Techniques for Proactive Password Checking

This paper deals with the access control problem. We assume that valuable resources need to be protected against unauthorized users and that, to this aim, a password-based access control scheme is employed. Such an abstract scenario captures many applicative settings. The issue we focus our attention on is the following: password-based schemes provide a certain level of security as long as users choose good passwords, i.e., passwords that are hard to guess in a reasonable amount of time. In order to force the users to make good choices, a proactive password checker can be implemented as a submodule of the access control scheme. Such a checker, any time the user chooses/changes his own password, decides on the fly whether to accept or refuse the new password, depending on its guessability. Hence, the question is: how can we get an effective and efficient proactive password checker? By means of neural networks and statistical techniques, we answer the above question, developing suitable proactive password checkers. Through a series of experiments, we show that these checkers have very good performance: error rates are comparable to those of the best existing checkers, implemented on different principles and by using other methodologies, and the memory requirements are better in several cases. It is the first time that neural network technology has been fully and successfully applied to designing proactive password checkers

[1]  Alfredo De Santis,et al.  HYPPOCRATES: a new proactive password checker , 2004, J. Syst. Softw..

[2]  Helmut Prendinger,et al.  Approximate Reasoning , 1997, EPIA.

[3]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[4]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[5]  Craig Metz,et al.  A One-Time Password System , 1996, RFC.

[6]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[7]  Witold Pedrycz,et al.  Fuzzy relational neural network , 2006, Int. J. Approx. Reason..

[8]  Heekuck Oh,et al.  Neural Networks for Pattern Recognition , 1993, Adv. Comput..

[9]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[10]  William Stallings Network and Internetwork Security: Principles and Practice , 1994 .

[11]  Ian T. Nabney,et al.  Netlab: Algorithms for Pattern Recognition , 2002 .

[12]  Maurizio Kliban Boyarsky,et al.  Public-key cryptography and password protocols: the multi-user case , 1999, CCS '99.

[13]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[14]  U. Halici,et al.  Intelligent biometric techniques in fingerprint and face recognition , 2000 .

[15]  Giancarlo Ruffo,et al.  High dictionary compression for proactive password checking , 1998, TSEC.

[16]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[17]  Juan Ruiz-Alzola,et al.  Biometric identification systems , 2003, Signal Process..

[18]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[19]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[20]  Jeff Yan,et al.  A note on proactive password checking , 2001, NSPW '01.

[21]  Alfredo De Santis,et al.  A Novel Approach to Proactive Password Checking , 2002, InfraSec.

[22]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  M. Bishop Proactive Password Checking , 1992 .