We presented a simple and efficient password-based encrypted key exchange protocol that allows a user to establish secure session keys with remote servers from client terminals in low resource environments. He does no...We presented a simple and efficient password-based encrypted key exchange protocol that allows a user to establish secure session keys with remote servers from client terminals in low resource environments. He does not need to carry smart card storing his private information but just needs to know his identity and password. For this purpose, the scheme was implemented over elliptic curves because of their well-known advantages with regard to processing and size constraints. Furthermore, the scheme is provably secure under the assumptions that the hash function closely behaves like a random oracle and that the elliptic curve computational Diffie-Hellman problem is difficult.展开更多
Password security is a crucial component of modern internet security. In this paper, we present a provably secure method for password verification using combinatorial group theory. This method relies on the group rand...Password security is a crucial component of modern internet security. In this paper, we present a provably secure method for password verification using combinatorial group theory. This method relies on the group randomizer system, a subset of the MAGNUS computer algebra system and corrects most of the present problems with challenge response systems, the most common types of password verification. Theoretical security of the considered method depends on several results in asymptotic group theory. We mention further that this method has applications for many other password situations including container security.展开更多
This paper proposes a scheme for password management by storing password encryptions on a server. The method involves having the encryption key split into a share for the user and one for the server. The user’s share...This paper proposes a scheme for password management by storing password encryptions on a server. The method involves having the encryption key split into a share for the user and one for the server. The user’s share shall be based solely on a selected passphrase. The server’s share shall be generated from the user’s share and the encryption key. The security and trust are achieved by performing both encryption and decryption on the client side. We also address the issue of countering dictionary attack by providing a further enhancement of the scheme.展开更多
Honey vaults are useful tools for password management. A vault usually contains usernames for each domain, and the corresponding passwords, encrypted with a master password chosen by the owner. By generating decoy vau...Honey vaults are useful tools for password management. A vault usually contains usernames for each domain, and the corresponding passwords, encrypted with a master password chosen by the owner. By generating decoy vaults for incorrect master password attempts, honey vaults force attackers with the vault’s storage fle to engage in online verifcation to distinguish the real vaults, thus thwarting ofine guessing attacks. However, sophisticated attackers can acquire additional information, such as personally identifable information (PII) and partial passwords contained within the vault from various data breaches. Since many users tend to incorporate PII in their passwords, attackers may utilize PII to distinguish the real vault. Furthermore, if attackers may learn partial passwords included in the real vault, it can exclude numerous decoy vaults without the need for online verifcation. Indeed, both leakages pose serious threats to the security of the existing honey vault schemes. In this paper, we explore two attack vari-antsof the inspired attack scenario, where the attacker gains access to the vault’s storage fle along with acquiring PII and partial passwords contained within the real vault, and design a new honey vault scheme. For security assurance, we prove that our scheme is secure against one of the aforementioned attack variants. Moreover, our experimental fndings suggest enhancements in security against the other attack. In particular, to evaluate the security in multiple leakage cases where both the vault’s storage fle and PII are leaked, we propose several new practical attacks (called PII-based attacks), building upon the existing practical attacks in the traditional single leakage case where only the vault’s storage fle is compromised. Our experimental results demonstrate that certain PII-based attacks achieve a 63–70% accuracy in distinguishing the real vault from decoys in the best-performing honey vault scheme (Cheng et al. in Incrementally updateable honey password vaults, pp 857–874, 2021). Our scheme reduces these metrics to 41–50%, closely approaching the ideal value of 50%.展开更多
TarGuess-I is a leading model utilizing Personally Identifiable Information for online targeted password guessing.Due to its remarkable guessing performance,the model has drawn considerable attention in password secur...TarGuess-I is a leading model utilizing Personally Identifiable Information for online targeted password guessing.Due to its remarkable guessing performance,the model has drawn considerable attention in password security research.However,through an analysis of the vulnerable behavior of users when constructing passwords by combining popular passwords with their Personally Identifiable Information,we identified that the model fails to consider popular passwords and frequent substrings,and it uses overly broad personal information categories,with extensive duplicate statistics.To address these issues,we propose an improved password guessing model,TGI-FPR,which incorporates three semantic methods:(1)identification of popular passwords by generating top 300 lists from similar websites,(2)use of frequent substrings as new grammatical labels to capture finer-grained password structures,and(3)further subdivision of the six major categories of personal information.To evaluate the performance of the proposed model,we conducted experiments on six large-scale real-world password leak datasets and compared its accuracy within the first 100 guesses to that of TarGuess-I.The results indicate a 2.65%improvement in guessing accuracy.展开更多
Because the modified remote user authentication scheme proposed by Shen, Lin and Hwang is insecure, the Shen-Lin-Hwang' s scheme is improved and a new secure remote user authentication scheme based on the bi- linear ...Because the modified remote user authentication scheme proposed by Shen, Lin and Hwang is insecure, the Shen-Lin-Hwang' s scheme is improved and a new secure remote user authentication scheme based on the bi- linear parings is proposed. Moreover, the effectiveness of the new scheme is analyzed, and it is proved that the new scheme can prevent from all kinds of known attack. The one-way hash function is effective in the new scheme. The new scheme is proved that it has high effectiveness and fast convergence speed. Moreover, the ap- plication of the new scheme is easy and operational.展开更多
Identity authentication is the first line of defense for network security.Passwords have been the most widely used authentication method in recent years.Although there are security risks in passwords,they will be the ...Identity authentication is the first line of defense for network security.Passwords have been the most widely used authentication method in recent years.Although there are security risks in passwords,they will be the primary method in the future due to their simplicity and low cost.Considering the security and usability of passwords,we propose AvoidPwd,which is a novel mnemonic password generation strategy that is based on keyboard transformation.AvoidPwd helps users customize a“route”to bypass an“obstacle”and choose the characters on the“route”as the final password.The“obstacle”is a certain word using any language and the keys adjacent to the“obstacle”are typed with the“Shift”key.A two-part experiment was conducted to examine the memorability and security of the AvoidPwd strategy with other three password strategies and three leaked password sets.The results showed that the passwords generated by the AvoidPwd strategy were more secure than the other leaked password sets.Meanwhile,AvoidPwd outperformed the KbCg,SpIns,and Alphapwd in balancing security and usability.In addition,there are more symbols in the character distribution of AvoidPwd than the other strategies.AvoidPwd is hopeful to solve the security problem that people are difficult to remember symbols and they tend to input letters and digits when creating passwords.展开更多
In the last few years,cyber security has been an essential prerequisite for almost every organization to handle the massive number of emerging cyber attacks worldwide.A critical factor in reducing the possibility of b...In the last few years,cyber security has been an essential prerequisite for almost every organization to handle the massive number of emerging cyber attacks worldwide.A critical factor in reducing the possibility of being exploited is cyber security awareness.Not only having the adequate knowledge but how to utilize this knowledge to prevent cyber attacks.In this paper we conducted a survey that focuses on three vital security parameters,which are trust,passwords and defensive attitude respectively.The survey mainly aimed at assessing cyber security knowledge of 200 students and 100 faculty members in a Sudanese college and how secure these participants think they are according to their current cyber behaviour.56%of the participants are males and 44%are females.The results revealed that all participants were having fairly-low level of security awareness and their defensive attitude is considerably weak and doesn’t protect them either individually or at institutional-level.Nevertheless,faculty member showed better cyber security knowledge and skills by 8%higher than students.This study can be used to develop training approaches that bridge the security gaps depicted by the respondents of the survey questions manipulated in this study.展开更多
Nowadays, the password-based remote user authentication mechanism using smart card is one of the simplest and convenient authentication ways to ensure secure communications over the public network environments. Recent...Nowadays, the password-based remote user authentication mechanism using smart card is one of the simplest and convenient authentication ways to ensure secure communications over the public network environments. Recently, Liu et al. proposed an efficient and secure smart card based password authentication scheme. However, we find that Liu et al.’s scheme is vulnerable to the off-line password guessing attack and user impersonation attack. Furthermore, it also cannot provide user anonymity. In this paper, we cryptanalyze Liu et al.’s scheme and propose a security enhanced user authentication scheme to overcome the aforementioned problems. Especially, in order to preserve the user anonymity and prevent the guessing attack, we use the dynamic identity technique. The analysis shows that the proposed scheme is more secure and efficient than other related authentication schemes.展开更多
To achieve privacy and authentication sinmltaneously in mobile applications, various Three-party Password-authenticated key exchange (3PAKE) protocols have been proposed. However, some of these protocols are vulnera...To achieve privacy and authentication sinmltaneously in mobile applications, various Three-party Password-authenticated key exchange (3PAKE) protocols have been proposed. However, some of these protocols are vulnerable to conventional attacks or have low efficiency so that they cannot be applied to mobile applications. In this paper, we proposed a password-authenticated multiple key exchange protocol for mobile applications using elliptic curve cryptosystem. The proposed protocol can achieve efficiency, reliability, flexibility and scalability at the same time. Compared with related works, the proposed protocol is more suitable and practical for mobile applications.展开更多
The Internet has penetrated all aspects of human society and has promoted social progress.Cyber-crimes in many forms are commonplace and are dangerous to society and national security.Cybersecurity has become a major ...The Internet has penetrated all aspects of human society and has promoted social progress.Cyber-crimes in many forms are commonplace and are dangerous to society and national security.Cybersecurity has become a major concern for citizens and governments.The Internet functions and software applications play a vital role in cybersecurity research and practice.Most of the cyber-attacks are based on exploits in system or application software.It is of utmost urgency to investigate software security problems.The demand for Wi-Fi applications is proliferating but the security problem is growing,requiring an optimal solution from researchers.To overcome the shortcomings of the wired equivalent privacy(WEP)algorithm,the existing literature proposed security schemes forWi-Fi protected access(WPA)/WPA2.However,in practical applications,the WPA/WPA2 scheme still has some weaknesses that attackers exploit.To destroy a WPA/WPA2 security,it is necessary to get a PSK pre-shared key in pre-shared key mode,or an MSK master session key in the authentication mode.Brute-force cracking attacks can get a phase-shift keying(PSK)or a minimum shift keying(MSK).In real-world applications,many wireless local area networks(LANs)use the pre-shared key mode.Therefore,brute-force cracking of WPA/WPA2-PSK is important in that context.This article proposes a new mechanism to crack theWi-Fi password using a graphical processing unit(GPU)and enhances the efficiency through parallel computing of multiple GPU chips.Experimental results show that the proposed algorithm is effective and provides a procedure to enhance the security of Wi-Fi networks.展开更多
Authenticated Diffie-Hellman key agreement is quite popular for establishing secure session keys. As resource-limited mobile devices are becoming more popular and security threats are increasing, it is desirable to re...Authenticated Diffie-Hellman key agreement is quite popular for establishing secure session keys. As resource-limited mobile devices are becoming more popular and security threats are increasing, it is desirable to reduce computational load for these resource-limited devices while still preserving its strong security and convenience for users. In this paper, we propose a new smart-card-based user authenticated key agreement scheme which allows users to memorize passwords, reduces users' device computational load while still preserves its strong security. The proposed scheme effectively improves the computational load of modular exponentiations by 50%, and the security is formally proved.展开更多
An intelligent detecting system based on wireless transmission is designed. Its hardware includes the card reading module, the wireless digital transmission module, the LCD module, the random password keyboard module ...An intelligent detecting system based on wireless transmission is designed. Its hardware includes the card reading module, the wireless digital transmission module, the LCD module, the random password keyboard module and a 16×16 lattice word database based on e-Flash MM36SB020. Its software is a communication protocol between the central control computer and the entrance management base station. To resolve the conflicting problems occurred during the data transmission, a method of delaying time at random is proposed.展开更多
基金Supported by the National Natural Science Foun-dation of China (60473021)
文摘We presented a simple and efficient password-based encrypted key exchange protocol that allows a user to establish secure session keys with remote servers from client terminals in low resource environments. He does not need to carry smart card storing his private information but just needs to know his identity and password. For this purpose, the scheme was implemented over elliptic curves because of their well-known advantages with regard to processing and size constraints. Furthermore, the scheme is provably secure under the assumptions that the hash function closely behaves like a random oracle and that the elliptic curve computational Diffie-Hellman problem is difficult.
文摘Password security is a crucial component of modern internet security. In this paper, we present a provably secure method for password verification using combinatorial group theory. This method relies on the group randomizer system, a subset of the MAGNUS computer algebra system and corrects most of the present problems with challenge response systems, the most common types of password verification. Theoretical security of the considered method depends on several results in asymptotic group theory. We mention further that this method has applications for many other password situations including container security.
文摘This paper proposes a scheme for password management by storing password encryptions on a server. The method involves having the encryption key split into a share for the user and one for the server. The user’s share shall be based solely on a selected passphrase. The server’s share shall be generated from the user’s share and the encryption key. The security and trust are achieved by performing both encryption and decryption on the client side. We also address the issue of countering dictionary attack by providing a further enhancement of the scheme.
基金supported by the National Natural Science Foundation of China(Nos.62172404,62172411,61972094,62202458).
文摘Honey vaults are useful tools for password management. A vault usually contains usernames for each domain, and the corresponding passwords, encrypted with a master password chosen by the owner. By generating decoy vaults for incorrect master password attempts, honey vaults force attackers with the vault’s storage fle to engage in online verifcation to distinguish the real vaults, thus thwarting ofine guessing attacks. However, sophisticated attackers can acquire additional information, such as personally identifable information (PII) and partial passwords contained within the vault from various data breaches. Since many users tend to incorporate PII in their passwords, attackers may utilize PII to distinguish the real vault. Furthermore, if attackers may learn partial passwords included in the real vault, it can exclude numerous decoy vaults without the need for online verifcation. Indeed, both leakages pose serious threats to the security of the existing honey vault schemes. In this paper, we explore two attack vari-antsof the inspired attack scenario, where the attacker gains access to the vault’s storage fle along with acquiring PII and partial passwords contained within the real vault, and design a new honey vault scheme. For security assurance, we prove that our scheme is secure against one of the aforementioned attack variants. Moreover, our experimental fndings suggest enhancements in security against the other attack. In particular, to evaluate the security in multiple leakage cases where both the vault’s storage fle and PII are leaked, we propose several new practical attacks (called PII-based attacks), building upon the existing practical attacks in the traditional single leakage case where only the vault’s storage fle is compromised. Our experimental results demonstrate that certain PII-based attacks achieve a 63–70% accuracy in distinguishing the real vault from decoys in the best-performing honey vault scheme (Cheng et al. in Incrementally updateable honey password vaults, pp 857–874, 2021). Our scheme reduces these metrics to 41–50%, closely approaching the ideal value of 50%.
基金supported by the Joint Funds of National Natural Science Foundation of China(Grant No.U23A20304)the Fund of Laboratory for Advanced Computing and Intelligence Engineering(No.2023-LYJJ-01-033)+1 种基金the Special Funds of Jiangsu Province Science and Technology Plan(Key R&D ProgramIndustryOutlook and Core Technologies)(No.BE2023005-4)the Science Project of Hainan University(KYQD(ZR)-21075).
文摘TarGuess-I is a leading model utilizing Personally Identifiable Information for online targeted password guessing.Due to its remarkable guessing performance,the model has drawn considerable attention in password security research.However,through an analysis of the vulnerable behavior of users when constructing passwords by combining popular passwords with their Personally Identifiable Information,we identified that the model fails to consider popular passwords and frequent substrings,and it uses overly broad personal information categories,with extensive duplicate statistics.To address these issues,we propose an improved password guessing model,TGI-FPR,which incorporates three semantic methods:(1)identification of popular passwords by generating top 300 lists from similar websites,(2)use of frequent substrings as new grammatical labels to capture finer-grained password structures,and(3)further subdivision of the six major categories of personal information.To evaluate the performance of the proposed model,we conducted experiments on six large-scale real-world password leak datasets and compared its accuracy within the first 100 guesses to that of TarGuess-I.The results indicate a 2.65%improvement in guessing accuracy.
基金Supported by the National Science Foundation for Young Scholars of China(61001091)~~
文摘Because the modified remote user authentication scheme proposed by Shen, Lin and Hwang is insecure, the Shen-Lin-Hwang' s scheme is improved and a new secure remote user authentication scheme based on the bi- linear parings is proposed. Moreover, the effectiveness of the new scheme is analyzed, and it is proved that the new scheme can prevent from all kinds of known attack. The one-way hash function is effective in the new scheme. The new scheme is proved that it has high effectiveness and fast convergence speed. Moreover, the ap- plication of the new scheme is easy and operational.
基金supported in part by the National Natural Science Foundation of China (No. 61803149 and No. 61977021)in part by the Technology Innovation Special Program of Hubei Province (No. 2020AEA008)in part by the Hubei Province Project of Key Research Institute of Humanities and Social Sciences at Universities (Research Center of Information Management for Performance Evaluation)
文摘Identity authentication is the first line of defense for network security.Passwords have been the most widely used authentication method in recent years.Although there are security risks in passwords,they will be the primary method in the future due to their simplicity and low cost.Considering the security and usability of passwords,we propose AvoidPwd,which is a novel mnemonic password generation strategy that is based on keyboard transformation.AvoidPwd helps users customize a“route”to bypass an“obstacle”and choose the characters on the“route”as the final password.The“obstacle”is a certain word using any language and the keys adjacent to the“obstacle”are typed with the“Shift”key.A two-part experiment was conducted to examine the memorability and security of the AvoidPwd strategy with other three password strategies and three leaked password sets.The results showed that the passwords generated by the AvoidPwd strategy were more secure than the other leaked password sets.Meanwhile,AvoidPwd outperformed the KbCg,SpIns,and Alphapwd in balancing security and usability.In addition,there are more symbols in the character distribution of AvoidPwd than the other strategies.AvoidPwd is hopeful to solve the security problem that people are difficult to remember symbols and they tend to input letters and digits when creating passwords.
文摘In the last few years,cyber security has been an essential prerequisite for almost every organization to handle the massive number of emerging cyber attacks worldwide.A critical factor in reducing the possibility of being exploited is cyber security awareness.Not only having the adequate knowledge but how to utilize this knowledge to prevent cyber attacks.In this paper we conducted a survey that focuses on three vital security parameters,which are trust,passwords and defensive attitude respectively.The survey mainly aimed at assessing cyber security knowledge of 200 students and 100 faculty members in a Sudanese college and how secure these participants think they are according to their current cyber behaviour.56%of the participants are males and 44%are females.The results revealed that all participants were having fairly-low level of security awareness and their defensive attitude is considerably weak and doesn’t protect them either individually or at institutional-level.Nevertheless,faculty member showed better cyber security knowledge and skills by 8%higher than students.This study can be used to develop training approaches that bridge the security gaps depicted by the respondents of the survey questions manipulated in this study.
基金supported by the Basic Science ResearchProgram through the National Research Foundation of Korea funded by the Ministry of Education under Grant No.NRF-2010-0020210
文摘Nowadays, the password-based remote user authentication mechanism using smart card is one of the simplest and convenient authentication ways to ensure secure communications over the public network environments. Recently, Liu et al. proposed an efficient and secure smart card based password authentication scheme. However, we find that Liu et al.’s scheme is vulnerable to the off-line password guessing attack and user impersonation attack. Furthermore, it also cannot provide user anonymity. In this paper, we cryptanalyze Liu et al.’s scheme and propose a security enhanced user authentication scheme to overcome the aforementioned problems. Especially, in order to preserve the user anonymity and prevent the guessing attack, we use the dynamic identity technique. The analysis shows that the proposed scheme is more secure and efficient than other related authentication schemes.
基金Acknowledgements This work was supported by the National Natural ScienceFoundation of China under Grants No. 60873191, No. 60903152, No. 60821001, and the Beijing Natural Science Foundation under Grant No. 4072020.
文摘To achieve privacy and authentication sinmltaneously in mobile applications, various Three-party Password-authenticated key exchange (3PAKE) protocols have been proposed. However, some of these protocols are vulnerable to conventional attacks or have low efficiency so that they cannot be applied to mobile applications. In this paper, we proposed a password-authenticated multiple key exchange protocol for mobile applications using elliptic curve cryptosystem. The proposed protocol can achieve efficiency, reliability, flexibility and scalability at the same time. Compared with related works, the proposed protocol is more suitable and practical for mobile applications.
文摘The Internet has penetrated all aspects of human society and has promoted social progress.Cyber-crimes in many forms are commonplace and are dangerous to society and national security.Cybersecurity has become a major concern for citizens and governments.The Internet functions and software applications play a vital role in cybersecurity research and practice.Most of the cyber-attacks are based on exploits in system or application software.It is of utmost urgency to investigate software security problems.The demand for Wi-Fi applications is proliferating but the security problem is growing,requiring an optimal solution from researchers.To overcome the shortcomings of the wired equivalent privacy(WEP)algorithm,the existing literature proposed security schemes forWi-Fi protected access(WPA)/WPA2.However,in practical applications,the WPA/WPA2 scheme still has some weaknesses that attackers exploit.To destroy a WPA/WPA2 security,it is necessary to get a PSK pre-shared key in pre-shared key mode,or an MSK master session key in the authentication mode.Brute-force cracking attacks can get a phase-shift keying(PSK)or a minimum shift keying(MSK).In real-world applications,many wireless local area networks(LANs)use the pre-shared key mode.Therefore,brute-force cracking of WPA/WPA2-PSK is important in that context.This article proposes a new mechanism to crack theWi-Fi password using a graphical processing unit(GPU)and enhances the efficiency through parallel computing of multiple GPU chips.Experimental results show that the proposed algorithm is effective and provides a procedure to enhance the security of Wi-Fi networks.
基金the National Science Council(No.NSC102-2221-E-260-011)
文摘Authenticated Diffie-Hellman key agreement is quite popular for establishing secure session keys. As resource-limited mobile devices are becoming more popular and security threats are increasing, it is desirable to reduce computational load for these resource-limited devices while still preserving its strong security and convenience for users. In this paper, we propose a new smart-card-based user authenticated key agreement scheme which allows users to memorize passwords, reduces users' device computational load while still preserves its strong security. The proposed scheme effectively improves the computational load of modular exponentiations by 50%, and the security is formally proved.
文摘An intelligent detecting system based on wireless transmission is designed. Its hardware includes the card reading module, the wireless digital transmission module, the LCD module, the random password keyboard module and a 16×16 lattice word database based on e-Flash MM36SB020. Its software is a communication protocol between the central control computer and the entrance management base station. To resolve the conflicting problems occurred during the data transmission, a method of delaying time at random is proposed.
