Differentiated Virtual Passwords, Secret Little Functions, and Codebooks for Protecting Users From Password Theft

In this paper, we discuss how to prevent users' passwords from being stolen by adversaries in online environments and automated teller machines. We propose differentiated virtual password mechanisms in which a user has the freedom to choose a virtual password scheme ranging from weak security to strong security, where a virtual password requires a small amount of human computing to secure users' passwords. The tradeoff is that the stronger the scheme, the more complex the scheme may be. Among the schemes, we have a default method (i.e., traditional password scheme), system recommended functions, user-specified functions, user-specified programs, and so on. A function/program is used to implement the virtual password concept with a tradeoff of security for complexity requiring a small amount of human computing. We further propose several functions to serve as system recommended functions and provide a security analysis. For user-specified functions, we adopt secret little functions in which security is enhanced by hiding secret functions/algorithms.

[1]  Xuemin Shen,et al.  A self-encryption authentication protocol for teleconference services , 2006, Int. J. Secur. Networks.

[2]  Myung J. Lee,et al.  A lightweight encryption and authentication scheme for wireless sensor networks , 2006, Int. J. Secur. Networks.

[3]  Ju Wang,et al.  A cross-layer authentication design for secure video transportation in wireless sensor network , 2010, Int. J. Secur. Networks.

[4]  Yossi Matias,et al.  How to Make Personalized Web Browising Simple, Secure, and Anonymous , 1997, Financial Cryptography.

[5]  Eric Young,et al.  Editorial , 1955, Journal of the Association for Research in Otolaryngology.

[6]  Ernesto Damiani,et al.  Spam attacks: p2p to the rescue , 2004, WWW Alt. '04.

[7]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[8]  Huaxiong Wang,et al.  Efficient multicast stream authentication for the fully adversarial network model , 2007, Int. J. Secur. Networks.

[9]  Neeraj Jaggi,et al.  A three dimensional sender anonymity metric , 2011, Int. J. Secur. Networks.

[10]  Guang Gong,et al.  On the (in)security of two Joint Encryption and Error Correction schemes , 2011, Int. J. Secur. Networks.

[11]  Siu-Ming Yiu,et al.  Exclusion-intersection encryption , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[12]  Matthew N. O. Sadiku,et al.  An intrusion detection technique based on continuous binary communication channels , 2011, Int. J. Secur. Networks.

[13]  Shiuh-Pyng Shieh,et al.  Authentication and secret search mechanisms for RFID-aware wireless sensor networks , 2010, Int. J. Secur. Networks.

[14]  Sven Laur,et al.  User-aided data authentication , 2009, Int. J. Secur. Networks.

[15]  Hrishikesh B. Acharya,et al.  Is That You? Authentication in a Network without Identities , 2011, 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011.

[16]  Yang Xiao,et al.  Virtual password using random linear functions for on-line services, ATM machines, and pervasive computing , 2008, Comput. Commun..

[17]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[18]  AbdallaMichel,et al.  Strong password-based authentication in TLS using the three-party group Diffie Hellman protocol , 2007 .

[19]  Guoliang Xue,et al.  Authenticating strangers in Online Social Networks , 2011, Int. J. Secur. Networks.

[20]  Markus G. Kuhn – mkuhn Probability Theory for Pickpockets — ec-PIN Guessing , 1997 .

[21]  Pin-Han Ho,et al.  A novel localised authentication scheme in IEEE 802.11 based Wireless Mesh Networks , 2008, Int. J. Secur. Networks.

[22]  Yang Xiao,et al.  Secret Little Functions and Codebook for Protecting Users from Password Theft , 2008, 2008 IEEE International Conference on Communications.

[23]  Moustafa Youssef,et al.  A source authentication scheme using network coding , 2011, Int. J. Secur. Networks.

[24]  Chik How Tan,et al.  Low-power authenticated group key agreement for heterogeneous wireless networks , 2006, Int. J. Secur. Networks.

[25]  Shensheng Tang,et al.  An epidemic model with adaptive virus spread control for Wireless Sensor Networks , 2011, Int. J. Secur. Networks.

[26]  K. P. Subbalakshmi,et al.  KL-sense secure image steganography , 2011, Int. J. Secur. Networks.

[27]  Tony A. Meyer,et al.  SpamBayes: Effective open-source, Bayesian based, email classification system , 2004, CEAS.

[28]  Susan T. Dumais,et al.  A Bayesian Approach to Filtering Junk E-Mail , 1998, AAAI 1998.

[29]  Jingyuan Zhang,et al.  Hidden information in Microsoft Word , 2011, Int. J. Secur. Networks.

[30]  Suzanne L. Holcombe United States Patent and Trademark Office , 2008 .

[31]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[32]  Xiaohui Liang,et al.  ESPAC: Enabling Security and Patient-centric Access Control for eHealth in cloud computing , 2011, Int. J. Secur. Networks.

[33]  Ali Movaghar-Rahimabadi,et al.  Anonymous authentication protocol for GSM networks , 2008, Int. J. Secur. Networks.

[34]  Bodo Möller,et al.  Strong password-based authentication in TLS using the three-party group Diffie?Hellman protocol , 2007, Int. J. Secur. Networks.

[35]  Victor C. M. Leung,et al.  Improved IP Multimedia Subsystem Authentication mechanism for 3G-WLAN networks , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[36]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[37]  Eyal de Lara,et al.  Proximity-based authentication of mobile devices , 2009, Int. J. Secur. Networks.

[38]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[39]  Ming-Hour Yang,et al.  Lightweight authentication protocol for mobile RFID networks , 2010, Int. J. Secur. Networks.

[40]  Sasikanth Avancha,et al.  Security for Sensor Networks , 2004 .

[41]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[42]  Cormac Herley,et al.  How to Login from an Internet Cafe Without Worrying about Keyloggers , 2006 .

[43]  Jie Wu,et al.  Friendship-based location privacy in Mobile Social Networks , 2011, Int. J. Secur. Networks.

[44]  Krishna M. Sivalingam,et al.  An efficient One-Time Password authentication scheme using a smart card , 2009, Int. J. Secur. Networks.

[45]  Abdelrahman Desoky,et al.  Edustega: an Education-Centric Steganography methodology , 2011, Int. J. Secur. Networks.

[46]  Prasant Mohapatra,et al.  Rendezvous based trust propagation to enhance distributed network security , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[47]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[48]  Yossi Matias,et al.  On secure and pseudonymous client-relationships with multiple servers , 1998, TSEC.

[49]  Amir Herzberg,et al.  TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks , 2004 .

[50]  Shahram Latifi,et al.  Partial iris and recognition as a viable biometric scheme , 2011, Int. J. Secur. Networks.