Cryptography-Based Authentication for Protecting Cyber Systems

Entity authentication is a fundamental building block for system security and has been widely used to protect cyber systems. Nonetheless, the role of cryptography in entity authentication is not very clear, although cryptography is known for providing confidentiality, integrity, and non-repudiation. This chapter studies the roles of cryptography in three entity authentication categories: knowledge-based authentication, token-based authentication, and biometric authentication. For these three authentication categories, we discuss (1) the roles of cryptography in the generation of password verification data, in password-based challenge/response authentication protocol, and in password-authenticated key exchange protocols; (2) the roles of cryptography in both symmetric key-based and private key-based token authentications; (3) cryptographic fuzzy extractors, which can be used to enhance the security and privacy of biometric authentication. This systematic study of the roles of cryptography in entity authentication will deepen our understanding of both cryptography and entity authentication and can help us better protect cyber systems. DOI: 10.4018/978-1-61350-323-2.ch8.8

[1]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[2]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[3]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[4]  Xavier Boyen,et al.  Reusable cryptographic fuzzy extractors , 2004, CCS '04.

[5]  Sunil Hazari Perceptions of End-Users on the Requirements in Personal Firewall Software: An Exploratory Study , 2005, J. Organ. End User Comput..

[6]  George R. Milne How Well Do Consumers Protect Themselves from Identity Theft , 2003 .

[7]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[8]  Thompson S. H. Teo,et al.  Factors influencing personal computer usage: the gender gap , 1996 .

[9]  Jeff Yan,et al.  A low-cost attack on a Microsoft captcha , 2008, CCS.

[10]  Steven Furnell,et al.  Computer crime and abuse: A survey of public attitudes and awareness , 1999, Comput. Secur..

[11]  Detmar W. Straub,et al.  Gender Differences in the Perception and Use of E-Mail: An Extension to the Technology Acceptance Model , 1997, MIS Q..

[12]  Sarvar Patel,et al.  Password-Authenticated Key Exchange Based on RSA , 2000, ASIACRYPT.

[13]  Jinkook Lee,et al.  Consumer Vulnerability to Fraud: Influencing Factors , 1997 .

[14]  Fred D. Davis,et al.  User Acceptance of Computer Technology: A Comparison of Two Theoretical Models , 1989 .

[15]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[16]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[17]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[18]  J. M. Ghee The vulnerability of elderly consumers , 1983 .

[19]  Magid Igbaria,et al.  An Examination of Gender Differences in the Determinants of Computer Anxiety and Attitudes Toward Microcomputers Among Managers , 1990, Int. J. Man Mach. Stud..

[20]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[21]  Joan Meyers-Levy,et al.  Exploring Differences in Males' and Females' Processing Strategies , 1991 .

[22]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[23]  Terence A. Shimp,et al.  Consumer vulnerability to scams, swindles, and fraud: A new theory of visceral influences on persuasion , 2001 .

[24]  Michael K. Reiter,et al.  Password hardening based on keystroke dynamics , 2002, International Journal of Information Security.

[25]  Yair Frankel,et al.  On enabling secure applications through off-line biometric identification , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[26]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[27]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[28]  Jason Garman Kerberos: The Definitive Guide , 2003 .

[29]  John T. Kohl,et al.  The Evolution of the Kerberos Authentication Service , 1992 .

[30]  C. K. Mertz,et al.  Gender, race, and perceived risk: The 'white male' effect , 2000 .

[31]  Loren V. Geistfeld,et al.  Elderly Consumers’ Receptiveness to Telemarketing Fraud , 1999 .

[32]  Philippe Golle Machine learning attacks against the Asirra CAPTCHA , 2008, CCS.

[33]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[34]  Davide Maltoni,et al.  A Tutorial on Fingerprint Recognition , 2003, Advanced Studies in Biometrics.

[35]  Salim Qureshi,et al.  Profiling Computer Predispositions , 1995 .

[36]  Qing Hu,et al.  Is spyware an Internet nuisance or public menace? , 2005, CACM.

[37]  David P. Jablon Extended password key exchange protocols immune to dictionary attack , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[38]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[39]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[40]  Dubravko Culibrk,et al.  Practical Secure Biometrics using Set Intersection as a Similarity Measure , 2007, SECRYPT.

[41]  Robert E. Umbaugh AUBREY G. CHERNICK , 1992 .

[42]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[43]  Jane M. Howell,et al.  Personal Computing: Toward a Conceptual Model of Utilization , 1991, MIS Q..

[44]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[45]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[46]  Elwyn R. Berlekamp,et al.  Algebraic coding theory , 1984, McGraw-Hill series in systems science.

[47]  James L. Massey,et al.  Shift-register synthesis and BCH decoding , 1969, IEEE Trans. Inf. Theory.

[48]  Terance D. Miethe,et al.  Understanding Theories of Criminal Victimization , 1993, Crime and Justice.

[49]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[50]  Jeff Yan,et al.  Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[51]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[52]  H. Raghav Rao,et al.  Gender Divide in the Use of Internet Applications , 2005, Int. J. E Bus. Res..

[53]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[54]  Arun Ross,et al.  An introduction to biometric recognition , 2004, IEEE Transactions on Circuits and Systems for Video Technology.

[55]  Jeffrey M. Stanton,et al.  Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices , 2004, AMCIS.

[56]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[57]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[58]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[59]  R. Kelly Rainer,et al.  The Influence of Individual Differences on Skill in End-User Computing , 1992, J. Manag. Inf. Syst..

[60]  Brett C. Tjaden,et al.  Improving the Efficiency of Capture-Resistant Biometric Authentication Based on Set Intersection , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[61]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[62]  Yevgeniy Dodis,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, EUROCRYPT.

[63]  H. Rao,et al.  Vulnerability to Internet Crime and Gender Issues , 2006 .

[64]  I. Reed,et al.  Polynomial Codes Over Certain Finite Fields , 1960 .