A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

Genç, Ziya Alper; Lenzini, Gabriele; Ryan, Peter; Vazquez Sandoval, Itzel

doi:10.1007/978-3-030-25109-3_7

Reference : A Critical Security Analysis of the Password-Based Authentication Honeywords System U...


	Document type :	Scientific congresses, symposiums and conference proceedings : Paper published in a book
	Discipline(s) :	Engineering, computing & technology : Computer science
	Focus Areas :	Security, Reliability and Trust
	To cite this reference:	http://hdl.handle.net/10993/40158

Title :	A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack
Language :	English
Author, co-author :	Genç, Ziya Alper [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) >]
	Lenzini, Gabriele [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) >]
	Ryan, Peter [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
	Vazquez Sandoval, Itzel [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) >]
Publication date :	Jul-2019
Main document title :	Information Systems Security and Privacy
Publisher :	Springer International Publishing
Collection and collection volume :	Communications in Computer and Information Science, Volume 977
Pages :	125-151
Peer reviewed :	Yes
Audience :	International
ISBN :	978-3-030-25109-3
City :	Cham
Event name :	4th International Conference, ICISSP 2018, Revised Selected Papers
Event date :	January 22-24, 2018
Event place (city) :	Funchal - Madeira
Event country :	Portugal
Keywords :	[en] honeywords ; password-based authentication ; secure protocols design ; formal security analysis
Abstract :	[en] Password-based authentication is a widespread method to access into systems, thus password files are a valuable resource often target of attacks. To detect when a password file has been stolen, Juels and Rivest introduced the Honeywords System in 2013. The core idea is to store the password with a list of decoy words that are ``indistinguishable'' from the password, called honeywords. An adversary that obtains the password file and, by dictionary attack, retrieves the honeywords can only guess the password when attempting to log in: but any incorrect guess will set off an alarm, warning that file has been compromised. In a recent conference paper, we studied the security of the Honeywords System in a scenario where the intruder also manages to corrupt the server's code (with certain limiting assumptions); we proposed an authentication protocol and proved it secure despite the corruption. In this extended journal version, we detail the analysis and we extend it, under the same attacker model, to the other two protocols of the original Honeywords System, the setup and change of password. We formally verify the security of both of them; further, we discuss that our design suggests a completely new approach that diverges from the original idea of the Honeywords System but indicates an alternative way to authenticate users which is robust to server's code-corruption.
Permalink :	http://hdl.handle.net/10993/40158
DOI :	10.1007/978-3-030-25109-3_7
Mentions required by the publisher for OA :	The original publication is part of the Communications in Computer and Information Science (CCIS) book series published by Springer and it is available at https://doi.org/10.1007/978-3-030-25109-3_7

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	document.pdf		Author postprint	270.35 kB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices