Token-based Graphical Password Authentication

Gyorffy, John

11 1900

Given that phishing is an ever increasing problem, a better authentication system than the current alphanumeric system is needed. Because of the large number of current authentication systems that use alphanumeric passwords, a new solution should be compatible with these systems. We propose a system that uses a graphical password deployed from a Trojan and virus resistant embedded device as a possible solution. The graphical password would require the user to choose a family photo sized to 441x331 pixels. Using this image, a novel, image hash provides an input into a cryptosystem on the embedded device that subsequently returns an encryption key or text password. The graphical password requires the user to click five to eight points on the image. From these click-points, the embedded device stretches the graphical password input to a 32- character, random, unique alphanumeric password or a 256-bit AES key. Each embedded device and image are unique components in the graphical password system. Additionally, one graphical password can generate many 32-character unique, alphanumeric passwords using its embedded device which eliminates the need for the user to memorize many passwords. / Computer Engineering

Graphical Password

Phishing

USB token

Internet security

Trojan

Graphical one-time password authentication

Alsaiari, Hussain

January 2016

Complying with a security policy often requires users to create long and complex passwords to protect their accounts. However, remembering such passwords appears difficult for many and may lead to insecure practices, such as choosing weak passwords or writing them down. One-Time Passwords (OTPs) aim to overcome such problems; however, most implemented OTP techniques require special hardware, which not only adds costs, but also raises issues regarding availability. This type of authentication mechanism is mostly adopted by online banking systems to secure their clients’ accounts. However, carrying around authentication tokens was found to be an inconvenient experience for many customers. Not only the inconvenience, but if the token was unavailable, for any reason, this would prevent customers from accessing their accounts securely. In contrast, there is the potential to use graphical passwords as an alternative authentication mechanism designed to aid memorability and ease of use. The idea of this research is to combine the usability of recognition-based and draw-based graphical passwords with the security of OTP. A new multi-level user-authentication solution known as: Graphical One-Time Password (GOTPass) was proposed and empirically evaluated in terms of usability and security aspects. The usability experiment was conducted during three separate sessions, which took place over five weeks, to assess the efficiency, effectiveness, memorability and user satisfaction of the new scheme. The results showed that users were able to easily create and enter their credentials as well as remember them over time. Eighty-one participants carried out a total of 1,302 login attempts with a 93% success rate and an average login time of 24.5 seconds. With regard to the security evaluation, the research simulated three common types of graphical password attacks (guessing, intersection, and shoulder-surfing). The participants’ task was to act as attackers to try to break into the system. The GOTPass scheme showed a high resistance capability against the attacks, as only 3.3% of the 690 total attempts succeeded in compromising the system.

005.8

A STUDY ON HOMOPHONE WORDS IN THE DICTIONARY-BASED PASSWORD CRACKING

Mandapaka, Ajay

01 December 2017

Password cracking based on dictionary attacks have been confined only to the use of dictionary strings which make sense to both humans and the computer or are usually alphanumeric keyboard patterns. But here we also try to extend the dictionary attacks to homophones which the millennials tend to use more often. The word LOVE is used as LUV, LAV. Based on the pronunciation of a word there can be many spellings to it. Phoneme to Grapheme Correspondences have a great amount of significance here. So here in this research we try to incorporate all such words in the attacking dictionary with the highest possible probabilities to see if it has any impact on the password cracking efficiency. We use the probabilistic context-free grammar password cracker to see what our test results yield.

dictionary attacks

grapheme

homophone

password cracking

phoneme

probability

PASSWORD PRACTICE : The effect of training on password practice

Ekström, Niklas

January 2015

There are several concerning issues with passwords today; one of them being weak passwords, but password management also plays a big role e.g. when the users reuses passwords over several services or don't change their passwords on a regular basis. With the usage of passwords for several aspects of our daily lives comes the responsibility of trying to mitigate these issues, a role that often falls on to the users themselves. The usage of guidelines has proved helpful in this regard but still lacks important aspects. This paper suggests the usage of education in the form of a lecture to help with the problem. In this paper we conducted a study of password leaks, a literature analysis of the area around passwords and perform some qualitative interviews with different kinds of people with varying education and usage of passwords. The results from these studies will then lay the foundation for the lecture in the experiment part of the paper, two experiment groups will be used, one given a lecture as education on the matter and one control group not given any education. The study has showed that the usage of a lecture can help increase the entropy, average length of user‟s passwords. These results can be interpreted together with another study that did a similar experiment to that a lecture can be a more efficient way to teach users about passwords.

Password

Lecture

Interviews

Experiment

Entropy

Computer Sciences

Datavetenskap (datalogi)

Användarkontohantering : Analys av användarvänlighet

Stenman, Kenneth

January 2015

Password Management Systems är system som hjälper användaren skapa kontroll över sinaanvändarkonton och lösenord. Denna studie analyserar tre utvalda system, hur användarvänliga de är samtvilken typ av autentisering och kryptering de använder. Metoden som används är experiment tillsammansmed intervjuer av fem deltagare, varav alla hade olika erfarenheter med datorer. Studien har visat attanvändarvänligheten bland flerparten av systemen är höga. Risker finns bland upprepade lösenord ochanvändarnamn, samt osäker autentisering. Denna studie visar att Password Managment Systems kanenkelt hjälpa användare att skapa och använda säkra lösenord. Framtida arbeten finns att titta närmare påsäkerheten bland Password Management Systems, en fallstudie i organisationer samt titta närmare påsvenska system.

Password Management Systems

Single Sign-on

Användarvänlighet

Computer Sciences

Datavetenskap (datalogi)

Distribuované generování hesel pomocí pravděpodobnostních gramatik / Distributed Password Generation Using Probabilistic Grammars

Mikuš, Dávid

January 2019

This thesis describes a process of cracking a password, existing types of attacks and generating passwords using probabilistic grammar. This grammar can be used as an attack that works on the basis of learning from an existing list of passwords and generating them by using constructed context-free grammar from the learning phase. The core of this thesis is the design and implementation of distribution solution for this type of attack. Implementation includes refactoring of existing solution and optimization to maximize use of every available resource.

Moderní metody ověření identity uživatelů / Modern methods for user authentication

Sýkora, Daniel

January 2009

The main focus of Master’s thesis is modern methods for user authentication. In the first part are briefly described currently used protocols and pointed out thein advantages and disadvantages. The theoretical introduction analyzes the principles of zero-knowledge authentication, password-based protocols and describes the concept of a new generation hash function. The practical part describes the specific implementation of authentication protocols - Ohta-Okamoto protocol as a representative of the zero knowledge protocols and SRP (Secure Remote Password), which represents password-based protocols. In both cases, the installation procedure is described following the analysis of their implementation (at the source code level) and then compared with the transmitted data captured by Wireshark. The SRP protocol is verified by AVISPA tool. There is summary of both protocols security analysis in the conclusion.

Bezpečný přístup do webového rozhraní / Secure access to web interface

Kazik, Milan

January 2009

This document contains basic principles and processes regarding secure access to web information system. It consists of theoretic and applied part. These are mainly written together in thesis’s chapters. Theoretic informations were tested on simple web application created in PHP computer language on Apache web server using MySQL database. In the beginning, there is an analysis of used programming environment, especially it’s advantages and disadvantages. The main part of this document is simple characterization of many security problems which can be found on many websites all around the world. In the first place it’s a handling problem of inputs and outputs in the web applications. Password disputableness is solving separatelly. Theory of a problem is analysed first of all. Then a couple of solving methods are suggested and the one which is practically realized is described in detail. There is a notification system created which is used to inform user about errors appeared in web application. In the last section there is a client and server certificates described. This document contains fully characterization of used scripts and connection between them. They are supplemented with many pictures and screenshots which are used to better understanding the disputableness of web security.

The Use of One-Time Password and RADIUS Authentication in a GSS-API Architecture

Yang, Xi

January 2006

The Generic Security Service Application Program Interface (GSS-API) is an architecture that facilitates applications using distributed security services in a mechanism-independent fashion. GSS-API is supported by various underlying mechanisms and technologies such as Kerberos version 5 and public-key technologies. However, no one-time password based GSS-API mechanism existed. This thesis focuses on an investigation using one-time passwords together with RADIUS authentication as a protection facility for a GSS-API mechanism. This thesis presents a security architecture using one-time passwords to establish a GSS-API security context between two communicating peers. The proposed one-time password based GSS-API mechanism could be used to enhance the security of user authentication. Moreover, the mechanism can greatly facilitate static-password based system’s transition to stronger authentication. / IETF GSS-API är ett applikationsgränssnitt (API) som tillhandahåller distribuerade säkerhetstjänster för autentisering och datakonfidentialitet oberoende av den underliggande säkerhetarkitekturen. Applikationer som skrivs mot detta API kan på detta sätt flyttas eller porteras utan att västentligen skrivas om. GSS-API stöds av ett flertal undrliggande säkerhetsarkitekturer som tex Kerberos 5, Windows NTLM och PKI. API har också sk bindings för "C" och Java. I dagsläget finns det dock ingen lösning som baseras på engångslösenord. Denna magisteruppsats har som mål att undersöka möjligheten att använda engångslösenord tillsammans med RADIUS för att implementera en ny GSS-API mechanism. Denna uppsats presenterar ett förslag för hur RADIUS och engångslösenord kan användas för att säkra kommunikationen mellan två GSS-API entiteter. Den föreslagna mekanismen kan också användas för att förbättra säkerheten för användarautentisering och möjliggöra en övergång från statiska lösenord till stark autentisering.

GSS-API

one-time password

RADIUS authentication

Communication Systems

Kommunikationssystem

Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas

Andrade, Alicia

07 January 2019

Actualmente, la criptografía resulta de vital importancia en la protección de la información, garantizando la confidencialidad, autenticidad, integridad y disponibilidad. Dentro de esta área, las funciones resumen o hash criptográficas tienen mucha aplicabilidad en sistemas y protocolos seguros. Su función principal consiste en pasar de una cadena de longitud arbitraria (mensaje) a una de longitud fija (resumen) de forma que sea muy improbable obtener el mensaje a partir del resumen o encontrar dos mensajes que generen el mismo resumen. Las funciones de derivación de claves basadas en contraseña (PBKDF), son funciones hash especializadas que se usan, comúnmente, para transformar las contraseñas de los usuarios en claves para el cifrado simétrico, así como para la autenticación de usuarios. Se propone un PBKDF con tres niveles de optimización cuyo diseño se basa en emplear el estándar de cifrado avanzado (AES), como un generador pseudoaleatorio y aprovechar el soporte para la aceleración de hardware para AES para mitigar los ataques comunes a los sistemas de autenticación de usuarios basados en contraseña. Se analizan, también, sus características de seguridad, estableciendo que resulta equivalente a la seguridad de AES, y se compara su rendimiento con algoritmos PBKDF de prestigio, como Scrypt y Argon2, con resultados favorables.

Password

Hash

PBKDF

Crytography