A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

GENÇ, Ziya Alper; LENZINI, Gabriele; RYAN, Peter; VAZQUEZ SANDOVAL, Itzel

doi:10.1007/978-3-030-25109-3_7

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

GENÇ, Ziya Alper; LENZINI, Gabriele; RYAN, Peter et al.

2019 • In Information Systems Security and Privacy

Peer reviewed

Permalink
https://hdl.handle.net/10993/40158

DOI
10.1007/978-3-030-25109-3_7

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

document.pdf

Author postprint (276.84 kB)

Download

The original publication is part of the Communications in Computer and Information Science (CCIS) book series published by Springer and it is available at https://doi.org/10.1007/978-3-030-25109-3_7

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

honeywords; password-based authentication; secure protocols design; formal security analysis

Abstract :

[en] Password-based authentication is a widespread method to access into systems, thus password files are a valuable resource often target of attacks. To detect when a password file has been stolen, Juels and Rivest introduced the Honeywords System in 2013. The core idea is to store the password with a list of decoy words that are ``indistinguishable'' from the password, called honeywords. An adversary that obtains the password file and, by dictionary attack, retrieves the honeywords can only guess the password when attempting to log in: but any incorrect guess will set off an alarm, warning that file has been compromised. In a recent conference paper, we studied the security of the Honeywords System in a scenario where the intruder also manages to corrupt the server's code (with certain limiting assumptions); we proposed an authentication protocol and proved it secure despite the corruption. In this extended journal version, we detail the analysis and we extend it, under the same attacker model, to the other two protocols of the original Honeywords System, the setup and change of password. We formally verify the security of both of them; further, we discuss that our design suggests a completely new approach that diverges from the original idea of the Honeywords System but indicates an alternative way to authenticate users which is robust to server's code-corruption.

Disciplines :

Computer science

Author, co-author :

GENÇ, Ziya Alper ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

LENZINI, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

RYAN, Peter ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

VAZQUEZ SANDOVAL, Itzel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

Language :

English

Title :

A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

Publication date :

July 2019

Event name :

4th International Conference, ICISSP 2018, Revised Selected Papers

Event place :

Funchal - Madeira, Portugal

Event date :

January 22-24, 2018

Audience :

International

Main work title :

Information Systems Security and Privacy

Publisher :

Springer International Publishing, Cham, Unknown/unspecified

ISBN/EAN :

978-3-030-25109-3

Collection name :

Communications in Computer and Information Science, Volume 977

Pages :

125-151

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

Available on ORBilu :

since 24 August 2019

Statistics

Number of views

230 (11 by Unilu)

Number of downloads

352 (7 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

Furnell, S.M., Dowland, P., Illingworth, H., Reynolds, P.L.: Authentication and supervision: a survey of user attitudes. Comput. Secur. 19, 529–539 (2000)
Goel, V., Perlroth, N.: Yahoo Says 1 Billion User Accounts Were Hacked. NT Times Online (2016). https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html. Accessed 04 Sept 2017
Newman, L.H.: Yahoo’s 2013 email hack actually compromised three billion accounts. Wired (2017). https://www.wired.com/story/yahoo-breach-three-billion-accounts/
Beck, K.: Hackers are selling account credentials for 400 million Tumblr and MyS-pace users. Machable (2016). http://mashable.com/2016/05/31/myspace-tumblr-hack. Accessed 04 Sept 2017
Juels, A., Rivest, R.L.: Honeywords: Making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 145–160. ACM (2013)
Erguler, I.: Achieving flatness: selecting the honeywords from existing user passwords. IEEE Trans. Dependable Secure Comput. 13(2), 284–295 (2016)
Genc, Z.A., Lenzini, G., Ryan, P.Y.A., Vazquez-Sandoval, I.: A security analysis, and a fix, of a code-corrupted honeywords system. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy (2018)
Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments. IBM Syst. J. 40, 666–682 (2001)
NIST: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (2015)
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop, pp. 82–96. IEEE (2001)
Brumley, B.B., Tuveri, N.: Remote Timing Attacks Are Still Practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_20