[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3171533.3171542acmotherconferencesArticle/Chapter ViewAbstractPublication PagesnspwConference Proceedingsconference-collections
research-article

End-to-End Passwords

Published: 01 October 2017 Publication History

Abstract

Passwords continue to be an important means for users to authenticate themselves to applications, websites, and backend services. However, password theft continues to be a significant issue, due in large part to the significant attack surface for passwords, including the operating system (e.g., key loggers), application (e.g., phishing websites in browsers), during transmission (e.g., TLS man-in-the-middle proxies), and at password verification services (e.g., theft of passwords stored at a server). Relatedly, even though there is a large body of research on improving passwords, the massive number of application verification services that use passwords stymie the diffusion of improvements---i.e., it does not scale for each improvement to require an update to every application and verification service.
To address these problems, we propose a new end-to-end password paradigm that transfers password functionality to two end-points, the operating system (entry, management, storage, and verification) and the password verification service (verification, and verification token storage). In this paradigm, passwords are never shared with applications or transmitted over the network, but are instead verified using zero-knowledge protocols. There are five key benefits of this approach that are not possible with the current password paradigm: (a) a minimal attack surface, (b) protection from password phishing, (c) protection from malware, (d) consistent password policies, and (e) the ability to more rapidly diffuse improvements from password research.

References

[1]
M. Abdalla, O. Chevassut, P.A. Fouque, and D. Pointcheval. 2005. A Simple Threshold Authenticated Key Exchange from Short Secrets. Proceedings of the Twenty-Fourth International Conference on the Theory and Application of Cryptographic Techniques (2005), 566--584.
[2]
M. Abdalla, P.A. Fouque, and D. Pointcheval. 2005. Password-based Authenticated Key Exchange in the Three-Party Setting. Proceedings of the Seventh International Workshop on Theory and Practice in Public Key Cryptography (2005), 65--84.
[3]
M. Abdalla, M. Izabachène, and D. Pointcheval. 2008. Anonymous and Transparent Gateway-Based Password-Authenticated Key Exchange. Proceedings of the Sixth International Conference on Applied Cryptography and Network Security (2008), 133--148.
[4]
P.E. Abi-Char, A. Mhamed, and B. El-Hassan. 2007. A Fast and Secure Elliptic Curve Based Authenticated Key Agreement Protocol for Low Power Mobile Communications. In Proceedings of the The 2007 International Conference on Next Generation Mobile Applications, Services and Technologies. IEEE, 235--240.
[5]
Chadia Abras, Diane Maloney-Krichmar, and Jenny Preece. 2004. User-Centered Design. Bainbridge W. Encyclopedia of Human-Computer Interaction 37, 4 (2004), 445--456.
[6]
P.S. Aleksic and A.K. Katsaggelos. 2006. Audio-Visual Biometrics. (2006), 2025--2044 pages.
[7]
Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J Atallah, and Eugene H Spafford. 2015. Ersatzpasswords: Ending Password Cracking and Detecting Password Leakage. In Proceedings of the Thirty-First Annual Computer Security Applications Conference. ACM, 311--320.
[8]
Fadi Aloul, Syed Zahidi, and Wassim El-Hajj. 2009. Two Factor Authentication Using Mobile Phones. In Proceedings of the Seventh IEEE/ACS International Conference on Computer Systems and Applications. IEEE, 641--644.
[9]
Shiri Azenkot, Kyle Rector, Richard Ladner, and Jacob Wobbrock. 2012. Passchords: Secure Multi-Touch Authentication for Blind People. In Proceedings of the Fourteenth International ACM Conference on Computers and Accessibility. ACM, 159--166.
[10]
S.M. Bellovin and M. Merritt. 1992. Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks. In Proceedings of the Thirteenth IEEE Symposium on Security and Privacy. IEEE, 72--84.
[11]
S.M. Bellovin and M. Merritt. 1993. Augmented Encrypted Key Exchange: A Password-Based Protocol Secure against Dictionary Attacks and Password File Compromise. In Proceedings of the First ACM Conference on Computer and Communications Security. ACM, 244--250.
[12]
J. Bonneau, C. Herley, P.C. van Oorschot, and F. Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the Thirty-Third IEEE Symposium on Security and Privacy. IEEE, 553--567.
[13]
Victor Boyko, Philip MacKenzie, and Sarvar Patel. 2000. Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In Proceedings of the Nineteenth International Conference on the Theory and Application of Cryptographic Techniques. Springer, 156--171.
[14]
J. Brainard, A. Juels, R.L. Rivest, M. Szydlo, and M. Yung. 2006. Fourth-Factor Authentication: Somebody You Know. In Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, Vol. 30. 168--178.
[15]
S. Brands. 2007. The Identity Corner---The Problem(s) with OpenId. https://idcorner.org/2007/08/22/the-problems-with-openid/. (2007). Accessed 2017/04/14.
[16]
J.W. Byun, D.H. Lee, and J.I. Lim. 2006. Security Analysis and Improvement of a Gateway-Oriented Password-Based Authenticated Key Exchange Protocol. IEEE Communications Letters 10, 9 (2006), 683--685.
[17]
T.Y. Chang, M.S. Hwang, and W.P. Yang. 2011. A Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol. Information Sciences 181, 1 (2011), 217--226.
[18]
S. Chiasson, R. Biddle, and P.C. van Oorschot. 2007. A Second Look at the Usability of Click-Based Graphical Passwords. In Proceedings of the Third Symposium on Usable Privacy and Security. ACM, 1--12.
[19]
S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P.C. Van Oorschot. 2012. Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE Transactions on Dependable and Secure Computing 9, 2 (2012), 222--235.
[20]
S. Chiasson, P.C. van Oorschot, and R. Biddle. 2006. A Usability Study and Critique of Two Password Managers. In Proceedings of the Fifteenth USENIX Security Symposium. USENIX, 1--16.
[21]
T Charles Clancy, Negar Kiyavash, and Dennis J Lin. 2003. Secure Smartcard-based Fingerprint Authentication. In Proceedings of the 2003 ACM Workshop on Biometrics Methods and Applications. ACM, 45--52.
[22]
Y. Cliff, Y. Tin, and C. Boyd. 2006. Password Based Server Aided Key Exchange. In Proceedings of the Fourth International Conference on Applied Cryptography and Network Security. Springer, 146--161.
[23]
Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptology ePrint Archive 2016 (2016), 86.
[24]
J. Daugman. 2004. How Iris Recognition Works. IEEE Transactions on Circuits and Systems for Video Technology 14, 1 (2004), 21--30.
[25]
Derek L Davis. 1999. Secure Boot. (Aug. 1999). US Patent 5,937,063.
[26]
R. Dhamija. 2007. Security Usability Studies: Risk, Roles and Ethics. In Proceedings of 2017Workshop on Security User Studies.
[27]
R. Dhamija and L. Dusseault. 2008. The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Security and Privacy 6, 2 (2008), 24--29.
[28]
R. Dhamija, J.D. Tygar, and M. Hearst. 2006. Why Phishing Works. In Proceedings of the Eighteenth ACM Conference on Human Factors in Computing Systems. ACM, 581--590.
[29]
Rachna Dhamija and J Doug Tygar. 2005. The Battle Against Phishing: Dynamic Security Skins. In Proceedings of the First Symposium on Usable Privacy and Security. ACM, 77--88.
[30]
Ben Dodson, Debangsu Sengupta, Dan Boneh, and Monica S Lam. 2012. Secure, Consumer-Friendly Web Authentication and Payments with a Phone. Mobile Computing, Applications, and Services (2012), 17--38.
[31]
Bryan Dosono, Jordan Hayes, and Yang Wang. 2015. "I'm Stuck!": A Contextual Inquiry of People with Visual Impairments in Authentication. In Proceedings of the Eleventh Symposium on Usable Privacy and Security. 151--168.
[32]
S. Drimer, S. Murdoch, and R. Anderson. 2009. Optimised to Fail: Card Readers for Online Banking. Proceedings of the Thirteenth International Conference on Financial Cryptography and Data Security (2009), 184--200.
[33]
Jeremy Epstein, John McHugh, Hilarie Orman, Rita Pascale, Ann Marmor-Squires, Bonnie Danner, Charles R Martin, Martha Branstad, Glenn Benson, and Doug Rothnie. 1993. A High Assurance Window System Prototype. Journal of Computer Security 2, 2--3 (1993), 159--190.
[34]
Facebook. 2017. Facebook Connect. https://developers.facebook.com/blog/post/2008/05/09/announcing-facebook-connect/. (2017). Accessed 2017/04/14.
[35]
Tao Feng, Ziyi Liu, Kyeong-An Kwon, Weidong Shi, Bogdan Carbunar, Yifei Jiang, and Nhung Nguyen. 2012. Continuous Mobile Authentication Using Touchscreen Gestures. In Proceedings of the 2012 IEEE Conference on Technologies for Homeland Security. IEEE, 451--456.
[36]
D. Florêncio and C. Herley. 2008. One-time Password Access to Any Server without Changing the Server. Proceedings of the Eleventh International Conference on Information Security (2008), 401--420.
[37]
Dinei Florêncio, Cormac Herley, and Paul C Van Oorschot. 2014. An Administrator's Guide to Internet Password Research. In Proceedings of the Twenty-Eighth Large Installation System Administration Conference. 35--52.
[38]
OpenID Foundation. 2017. OpenId. http://openid.net/. (2017). Accessed 2017/04/14.
[39]
OpenID Foundation. 2017. OpenId Foundation. http://openid.net/foundation/. (2017). Accessed 2017/04/14.
[40]
Davrondzhon Gafurov. 2007. A Survey of Biometric Gait Recognition: Approaches, Security and Challenges. In Annual Norwegian Computer Science Conference. 19--21.
[41]
Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security: History, Themes, and Challenges. Synthesis Lectures on Information Security, Privacy, and Trust 5, 2 (2014), 1--124.
[42]
Virgil D. Gligor, C. Sekar Chandersekaran, Robert S. Chapman, Leslie J. Dotterer, MS Hetch, Wen-Der Jiang, Abhai Johri, Gary L. Luckenbaugh, and N Vasudevan. 1987. Design and Implementation of Secure Xenix. IEEE Transactions on Software Engineering 2 (1987), 208--221.
[43]
Google. 2017. Google 2-Step Verification. https://www.google.com/landing/2step/. (2017). Accessed 2017/04/14.
[44]
Google. 2017. Password Alert. https://github.com/google/password-alert. (2017). Accessed 2017/04/14.
[45]
Anti-Phishing Working Group. 2008. Phishing Activity Trends: Report for the Month of January, 2008. (2008).
[46]
Guodong Guo, Stan Z Li, and Kapluk Chan. 2000. Face Recognition by Support Vector Machines. In Proceedings of the Fourth IEEE International Conference on Automatic Face and Gesture Recognition. IEEE, 196--201.
[47]
N. Haller, C. Metz, P. Nesser, and M. Straw. 1996. A One-Time Password System. http://www.ietf.org/rfc/rfc1938.txt. (1996).
[48]
E. Hammer-Lahav, D. Recordon, and D. Hardt. 2011. The OAuth 2.0 Authorization Protocol. (2011).
[49]
M. Hanson, D. Mills, and B. Adida. 2011. Federated Browser-Based Identity Using Email Addresses. In Proceedings of the 2011 W3C Workshop on Identity in the Browser.
[50]
F. Hao and P. Ryan. 2011. Password Authenticated Key Exchange by Juggling. Proceedings of the Nineteenth International Workshop on Security Protocols (2011), 159--171.
[51]
C. Herley. 2009. So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In Proceedings of the 2009 New Security Paradigms Workshop. ACM, 133--144.
[52]
C. Herley and P. Van Oorschot. 2012. A Research Agenda Acknowledging the Persistence of Passwords. Proceedings of the Thirty-Third IEEE Symposium on Security and Privacy 10, 1 (2012), 28--36.
[53]
C. Herley and P. Van Oorschot. 2017. SoK: Science, Security, and the Elusive Goal of Security As a Scientific Pursuit. Proceedings of the Thirty-Eighth IEEE Symposium on Security and Privacy (2017).
[54]
N. Hopper and M. Blum. 2001. Secure Human Identification Protocols. Proceedings of the Twentieth International Conference on the Theory and Application of Cryptographic Techniques (2001), 52--66.
[55]
Philip G Inglesant and M Angela Sasse. 2010. The True Cost of Unusable Password Policies: Password Use in the Wild. In Proceedings of the Twenty-Second ACM Conference on Human Factors in Computing Systems. ACM, 383--392.
[56]
IronKey. 2017. IronKey. http://www.ironkey.com/. (2017). Accessed 2017/04/14.
[57]
D.P. Jablon. 1996. Strong Password-Only Authenticated Key Exchange. ACM SIGCOMM Computer Communication Review 26, 5 (1996), 5--26.
[58]
D.P. Jablon. 1997. Extended Password Key Exchange Protocols Immune to Dictionary Attack. In Proceedings of the Sixth IEEE workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE, 248--255.
[59]
M. Jakobsson, L. Yang, and S. Wetzel. 2008. Quantifying the Security of Preference-Based Authentication. In Proceedings of the Fourth ACM Workshop on Digital Identity Management. ACM, 61--70.
[60]
R. Jhawar, P. Inglesant, N. Courtois, and M.A. Sasse. 2011. Make Mine a Quadruple: Strengthening the Security of Graphical One-Time PIN Authentication. In Proceedings of the Fifth IEEE International Conference on Network and System Security. IEEE, 81--88.
[61]
Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun. 2015. Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound. In Proceedings of the Twenty-Fourth USENIX Security Symposium. 483--498.
[62]
C. Karlof, JD Tygar, and D. Wagner. 2009. Conditioned-Safe Ceremonies and a User Study of an Application to Web Authentication. In Proceedings of the Fifteenth Network and Distributed System Security Symposium, Vol. 9.
[63]
Ambarish Karole, Nitesh Saxena, and Nicolas Christin. 2010. A Comparative Usability Evaluation of Traditional Password Managers. In Proceedings of the Thirteenth International Conference on Information Security and Cryptology. Springer, 233--251.
[64]
Michael L Katz and Carl Shapiro. 1994. Systems Competition and Network Effects. The Journal of Economic Perspectives 8, 2 (1994), 93--115.
[65]
Patrick Gage Kelley, Saranga Komanduri, Michelle L Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-cracking Algorithms. In Proceedings of the Thirty-Third IEEE Symposium on Security and Privacy. IEEE, 523--537.
[66]
K. Kobara and S.H. Shin. 2012. Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2. (2012).
[67]
D.P. Kormann and A.D. Rubin. 2000. Risks of the Passport Single Signon Protocol. Computer Networks 33, 1 (2000), 51--58.
[68]
Ravi Kuber and Shiva Sharma. 2010. Toward Tactile Authentication for Blind Users. In Proceedings of the Twelfth International ACM SIGACCESS Conference on Computers and Accessibility. ACM, 289--290.
[69]
M. Kuhn. 1998. OTPW---A One-time Password Login Package. (1998).
[70]
J.O. Kwon, I.R. Jeong, K. Sakurai, and D.H. Lee. 2007. Efficient Verifier-Based Password-Authenticated Key Exchange in the Three-Party Setting. Computer Standards and Interfaces 29, 5 (2007), 513--520.
[71]
T. Kwon. 2001. Authentication and Key Agreement Via Memorable Password. In Proceedings of the Seventh Network and Distributed System Security Symposium, Vol. 20. Internet Society, 31--33.
[72]
LastPass. 2017. LastPass. https://lastpass.com/. (2017). Accessed 2017/04/14.
[73]
Billy Lau, Simon P Chung, Chengyu Song, Yeongjin Jang, Wenke Lee, and Alexandra Boldyreva. 2014. Mimesis Aegis: A Mimicry Privacy Shield-a System's Approach to Data Privacy on Public Cloud. In Proceedings of the Twenty-Third USENIX Security Symposium. USENIX, 33--48.
[74]
B. Laurie. 2007. OpenId Phishing Heaven. http://www.links.org/?p=187. (2007). Accessed 2017/04/14.
[75]
Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song. 2014. The Emperor's New Password Manager: Security Analysis of Web-Based Password Managers. In Proceedings of the Twenty-Third USENIX Security Symposium. 465--479.
[76]
P.D. MacKenzie. 2002. The PAK Suite: Protocols for Password-Authenticated Key Exchange. (2002), 2 pages.
[77]
M. Mannan and PC van Oorschot. 2011. Leveraging Personal Devices for Stronger Password Authentication from Untrusted Computers. Journal of Computer Security 19, 4 (2011), 703--750.
[78]
C. Messina. 2009. OpenId Phishing Brainstorm. (2009).
[79]
B Clifford Neuman and Theodore Ts'o. 1994. Kerberos: An Authentication Service for Computer Networks. IEEE Communications Magazine 32, 9 (1994), 33--38.
[80]
Koichiro Niinuma, Unsang Park, and Anil K Jain. 2010. Soft Biometric Traits for Continuous User Authentication. IEEE Transactions on information forensics and security 5, 4 (2010), 771--780.
[81]
Mark O'Neill, Scott Ruoti, Kent Seamons, and Daniel Zappala. 2016. TLS Proxies: Friend or Foe?. In Proceedings of the 2016 ACM on Internet Measurement Conference. ACM, 551--557.
[82]
B. Parno, C. Kuo, and A. Perrig. 2006. Phoolproof Phishing Prevention. Proceedings of the Fourteenth International Workshop on Security Protocols (2006), 1--19.
[83]
A. Pashalidis and C.J. Mitchell. 2004. Impostor: A Single Sign-On System for Use from Untrusted Devices. In Proceedings of the Fifth IEEE Global Telecommunications Conference, Vol. 4. IEEE, 2191--2195.
[84]
PassWindow. 2017. PassWindow. http://www.passwindow.com/. (2017). Accessed 2017/04/14.
[85]
Lili Qiu, Yin Zhang, Feng Wang, Mi Kyung, and Han Ratul Mahajan. 1985. Trusted Computer System Evaluation Criteria. In National Computer Security Center. Citeseer.
[86]
D. Recordon and D. Reed. 2006. OpenId 2.0: A Platform for User-Centric Identity Management. In Proceedings of the Second ACM Workshop on Digital Identity Management. ACM, 11--16.
[87]
A. Ross, J. Shah, and A.K. Jain. 2007. From Template to Image: Reconstructing Fingerprints from Minutiae Points. IEEE Transactions on Pattern Analysis and Machine Intelligence 29, 4 (2007), 544--560.
[88]
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J.C. Mitchell. 2005. Stronger Password Authentication Using Browser Extensions. In Proceedings of the Fourteenth USENIX Security Symposium, Vol. 5. USENIX.
[89]
RSA. 2017. RSA SecureID. (2017). Accessed 2017/04/14.
[90]
Scott Ruoti, Jeff Andersen, and Kent Seamons. 2016. Strengthening Password-Based Authentication. In Proceedings of the Second Who Are You?! Adventures in Authentication Workshop at the Symposium on Usable Privacy and Security.
[91]
Scott Ruoti, Nathan Kim, Ben Burgon, Timothy Van Der Horst, and Kent Seamons. 2013. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM, Newcastle, United Kingdom.
[92]
V. Samar and R. Schemers. 1995. RFC 86.0: Unified Login with Pluggable Authentication Modules (PAM). http://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz. (1995).
[93]
S Sanderson and JH Erbetta. 2000. Authentication for Secure Environments Based on Iris Scanning Technology. (2000).
[94]
S. Schechter, A.J.B. Brush, and S. Egelman. 2009. It's No Secret---Measuring the Security and Reliability of Authentication Via "Secret" Questions. In Proceedings of the Thirtieth IEEE Symposium on Security and Privacy. IEEE, 375--390.
[95]
Stuart E Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. 2007. The Emperor's New Security Indicators. In Proceedings of the Twenty-Eighth IEEE Symposium on Security and Privacy. IEEE, 51--65.
[96]
David Silver, Suman Jana, Dan Boneh, Eric Yawei Chen, and Collin Jackson. 2014. Password Managers: Attacks and Defenses. In Proceedings of the Twenty-Third USENIX Security Symposium. 449--464.
[97]
M. Slot. 2008. Beginner's Guide to OpenId Phishing. https://blog.rootshell.be/2008/11/05/beginners-guide-to-openid-phishing/. (2008). Accessed 2017/04/14.
[98]
S.L. Smith. 1987. Authenticating Users by Word Association. Computers and Security 6, 6 (1987), 464--470.
[99]
F. Stajano. 2011. PICO: No More Passwords! Proceedings of the Nineteenth International Workshop on Security Protocols (2011), 49--81.
[100]
S.T. Sun. 2012. Simple but Not Secure: An Empirical Security Analysis of OAuth 2.0-Based Single Sign-On Systems. (2012).
[101]
S.T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov. 2010. A Billion Keys, but Few Locks: The Crisis of Web Single Sign-On. In Proceedings of the 2010 New Security Paradigms Workshop. ACM, 61--72.
[102]
S.T. Sun, K. Hawkey, and K. Beznosov. 2010. OpenId-Enabled Browser: Towards Fixing the Broken Web Single Sign-On Triangle. In Proceedings of the Sixth ACM Workshop on Digital Identity Management. ACM, 49--58.
[103]
S.T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov. 2011. What Makes Users Refuse Web Single Sign-On?: An Empirical Investigation of OpenId. In Proceedings of the Seventh Symposium on Usable Privacy and Security. ACM, 4.
[104]
H. Tao. 2006. Pass-Go---A New Graphical Password Scheme. Ph.D. Dissertation. University of Ottawa.
[105]
Issa Traore. 2011. Continuous Authentication Using Biometrics: Data, Models, and Metrics: Data, Models, and Metrics. IGI Global.
[106]
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, and others. 2012. How Does Your Password Measure Up? the Effect of Strength Meters on Password Creation. In Proceedings of the Twenty-First USENIX Security Symposium. 65--80.
[107]
T.W. van der Horst and K.E. Seamons. 2007. Simple Authentication for the Web. In Proceedings of the Third International IEEE Conference on Security and Privacy in Communications Networks and the Workshops. IEEE, 473--482.
[108]
Timothy W. van der Horst and Kent Eldon Seamons. 2009. Encrypted Email Based upon Trusted Overlays. (March 2009). US Patent 8,521,821.
[109]
Vasco. 2017. Cronto. http://www.cronto.com/. (2017). Accessed 2017/04/14.
[110]
Amit Vasudevan, Bryan Parno, Ning Qu, Virgil D Gligor, and Adrian Perrig. 2009. Lockdown: A Safe and Practical Environment for Security Applications. Technical Report. Carnegie Mellon University.
[111]
James Wayman, Anil Jain, Davide Maltoni, and Dario Maio. 2005. An Introduction to Biometric Authentication Systems. Biometric Systems (2005), 1--20.
[112]
F. Wei, Z. Zhang, and C. Ma. 2011. Gateway-Oriented Password-Authenticated Key Exchange Protocol in the Standard Model. Journal of Systems and Software (2011).
[113]
D. Weinshall. 2006. Cognitive Authentication Schemes Safe against Spyware. In Proceedings of the Twenty-Seventh IEEE Symposium on Security and Privacy. IEEE, 6--pp.
[114]
Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. In Proceedings of the Seventeenth ACM Conference on Computer and Communications Security. ACM, 162--175.
[115]
H.A. Wen, T.F. Lee, and T. Hwang. 2005. Provably Secure Three-Party Password-Based Authenticated Key Exchange Protocol Using Weil Pairing. (2005), 138--143 pages.
[116]
Alexander Wiesmaier, Marcus Fischer, Evangelos G. Karatsiolis, and Marcus Lippert. 2004. Outflanking and securely using the PIN/TAN-System. (2004). http://arxiv.org/abs/cs.CR/0410025
[117]
Min Wu, Robert C Miller, and Greg Little. 2006. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Second Symposium on Usable Privacy and Security. ACM, 102--113.
[118]
Thomas Wu. 1998. The Secure Remote Password Protocol. In Proceedings of the Fourth Network and Distributed System Security Symposium, Vol. 98. Internet Society, 97--111.
[119]
T. Wu. 2002. SRP-6: Improvements and Refinements to the Secure Remote Password Protocol. (2002).
[120]
T.C. Wu and H.Y. Chien. 2009. Comments on Gateway-Oriented Password-based Authenticated Key Exchange Protocol. In Proceedings of the Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing. IEEE, 262--265.
[121]
YubiCo. 2017. YubiKey. http://www.yubico.com/products/yubikey-hardware/yubikey/. (2017). Accessed 2017/04/14.
[122]
Yinqian Zhang, Fabian Monrose, and Michael K Reiter. 2010. The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. In Proceedings of the Seventeenth ACM Conference on Computer and Communications Security. ACM, 176--186.

Cited By

View all
  • (2024)One-Time Passwords: A Literary Review of Different Protocols and Their ApplicationsAdvanced Research in Technologies, Information, Innovation and Sustainability10.1007/978-3-031-48855-9_16(205-219)Online publication date: 3-Jan-2024
  • (2021)Systematization of Password ManagerUse Cases and Design ParadigmsProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485889(528-540)Online publication date: 6-Dec-2021
  • (2020)That was then, this is nowProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489334(2165-2182)Online publication date: 12-Aug-2020
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences
NSPW '17: Proceedings of the 2017 New Security Paradigms Workshop
October 2017
138 pages
ISBN:9781450363846
DOI:10.1145/3171533
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

In-Cooperation

  • NSF: National Science Foundation
  • ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. End-to-end
  2. password-based authentication
  3. passwords
  4. safe password entry
  5. strong password protocols

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

NSPW '17
NSPW '17: 2017 New Security Paradigms Workshop
October 1 - 4, 2017
CA, Santa Cruz, USA

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)23
  • Downloads (Last 6 weeks)0
Reflects downloads up to 11 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)One-Time Passwords: A Literary Review of Different Protocols and Their ApplicationsAdvanced Research in Technologies, Information, Innovation and Sustainability10.1007/978-3-031-48855-9_16(205-219)Online publication date: 3-Jan-2024
  • (2021)Systematization of Password ManagerUse Cases and Design ParadigmsProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485889(528-540)Online publication date: 6-Dec-2021
  • (2020)That was then, this is nowProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489334(2165-2182)Online publication date: 12-Aug-2020
  • (2020)ByPass: Reconsidering the Usability of Password ManagersSecurity and Privacy in Communication Networks10.1007/978-3-030-63086-7_24(446-466)Online publication date: 12-Dec-2020
  • (2019)Password Strength Measurement without Password Disclosure2019 14th Asia Joint Conference on Information Security (AsiaJCIS)10.1109/AsiaJCIS.2019.00013(157-164)Online publication date: Aug-2019
  • (2017)Layering Security at Global Control Points to Secure Unmodified Software2017 IEEE Cybersecurity Development (SecDev)10.1109/SecDev.2017.20(42-49)Online publication date: Sep-2017

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media