Your search keyword '"Passphrase"' showing total 178 results

1. Usability of the login authentication process: passphrases and passwords

Author

Bhana, Bhaveer and Flowerday, Stephen Vincent

Published

2022

2. Unstructured Data Analysis with Passphrase-Based REST API NoSQL for Big Data in Cloud

Author

Sangeeta Gupta, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Saini, H. S., editor, Sayal, Rishi, editor, Govardhan, Aliseri, editor, and Buyya, Rajkumar, editor

Published

2019

3. Impedances of Memorable Passphrase Design on Augmented Cognition

Author

Loos, Lila A., Ogawa, Michael-Brian, Crosby, Martha E., Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Schmorrow, Dylan D., editor, and Fidopiastis, Cali M., editor

Published

2019

4. Living with Encrypted Email

Author

Orman, Hilarie, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, VS, Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, and Orman, Hilarie

Published

2015

5. Voice Passphrase Variability Evaluation for Speaker Recognition

Author

Sukhmel, Vladislav, Aleinik, Sergei, Shchemelinin, Vadim, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Garain, Utpal, editor, and Shafait, Faisal, editor

Published

2015

6. Usability of the login authentication process: passphrases and passwords

Author

Bhaveer Bhana and Stephen Flowerday

Subjects

Password, Authentication, Information Systems and Management, Computer Networks and Communications, business.industry, Computer science, Passphrase, Usability, Context (language use), Login, Management Information Systems, Keystroke-level model, Human–computer interaction, Management of Technology and Innovation, Chunking (psychology), business, Software, Information Systems

Abstract

Purpose The average employee spends a total of 18.6 h every two months on password-related activities, including password retries and resets. The problem is caused by the user forgetting or mistyping the password (usually because of character switching). The source of this issue is that while a password containing combinations of lowercase characters, uppercase characters, digits and special characters (LUDS) offers a reasonable level of security, it is complex to type and/or memorise, which prolongs the user authentication process. This results in much time being spent for no benefit (as perceived by users), as the user authentication process is merely a prerequisite for whatever a user intends to accomplish. This study aims to address this issue, passphrases that exclude the LUDS guidelines are proposed. Design/methodology/approach To discover constructs that create security and to investigate usability concerns relating to the memory and typing issues concerning passphrases, this study was guided by three theories as follows: Shannon’s entropy theory was used to assess security, chunking theory to analyse memory issues and the keystroke level model to assess typing issues. These three constructs were then evaluated against passwords and passphrases to determine whether passphrases better address the security and usability issues related to text-based user authentication. A content analysis was performed to identify common password compositions currently used. A login assessment experiment was used to collect data on user authentication and user – system interaction with passwords and passphrases in line with the constructs that have an impact on user authentication issues related to security, memory and typing. User–system interaction data was collected from a purposeful sample size of 112 participants, logging in at least once a day for 10 days. An expert review, which comprised usability and security experts with specific years of industry and/or academic experience, was also used to validate results and conclusions. All the experts were given questions and content to ensure sufficient context was provided and relevant feedback was obtained. A pilot study involving 10 participants (experts in security and/or usability) was performed on the login assessment website and the content was given to the experts beforehand. Both the website and the expert review content was refined after feedback was received from the pilot study. Findings It was concluded that, overall, passphrases better support the user during the user authentication process in terms of security, memory issues and typing issues. Originality/value This research aims at promoting the use of a specific type of passphrase instead of complex passwords. Three core aspects need to be assessed in conjunction with each other (security, memorisation and typing) to determine whether user-friendly passphrases can support user authentication better than passwords.

Published

2021

7. PuTTY and SSH Implementation for Linux-Based Clients

Author

Lakhe, Bhushan and Lakhe, Bhushan

Published

2014

8. WiF0: All Your Passphrase Are Belong to Us

Author

Constantinos Kolias, Georgios Kambourakis, and Efstratios Chatzoglou

Subjects

Password, Authentication, Access network, General Computer Science, Wireless network, Computer science, business.industry, Passphrase, Login, Computer security, computer.software_genre, The Internet, Software system, business, computer

Abstract

No nontrivial software system can be built without regard for security. Even noncritical software systems can be used as an entry point to the critical systems to which they are connected, for example, exploiting system vulnerabilities to steal passwords for login and network access. This article describes one such attack.

Published

2021

9. Voice In Ear

Author

Yang Gao, Jagmohan Chauhan, Seokmin Choi, Jiyang Li, Yincheng Jin, and Zhanpeng Jin

Subjects

Authentication, Spoofing attack, Biometrics, Computer Networks and Communications, Computer science, Speech recognition, Wearable computer, Word error rate, 020206 networking & telecommunications, Passphrase, 02 engineering and technology, Human-Computer Interaction, 030507 speech-language pathology & audiology, 03 medical and health sciences, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 0305 other medical science, Resilience (network), Replay attack

Abstract

With the rapid growth of wearable computing and increasing demand for mobile authentication scenarios, voiceprint-based authentication has become one of the prevalent technologies and has already presented tremendous potentials to the public. However, it is vulnerable to voice spoofing attacks (e.g., replay attacks and synthetic voice attacks). To address this threat, we propose a new biometric authentication approach, named EarPrint, which aims to extend voiceprint and build a hidden and secure user authentication scheme on earphones. EarPrint builds on the speaking-induced body sound transmission from the throat to the ear canal, i.e., different users will have different body sound conduction patterns on both sides of ears. As the first exploratory study, extensive experiments on 23 subjects show the EarPrint is robust against ambient noises and body motions. EarPrint achieves an Equal Error Rate (EER) of 3.64% with 75 seconds enrollment data. We also evaluate the resilience of EarPrint against replay attacks. A major contribution of EarPrint is that it leverages two-level uniqueness, including the body sound conduction from the throat to the ear canal and the body asymmetry between the left and the right ears, taking advantage of earphones' paring form-factor. Compared with other mobile and wearable biometric modalities, EarPrint is a low-cost, accurate, and secure authentication solution for earphone users.

Published

2021

10. Adaptation of the biometric voice identification method to the quiet pronunciation of passphrases to counteract acoustic speech intelligence

Author

R. A. Vasiliev

Subjects

Biometrics, Computer science, QUIET, Speech recognition, Passphrase, Pronunciation, Speaker recognition, Adaptation (computer science)

Published

2021

11. H-Rotation: Secure Storage and Retrieval of Passphrases on the Authentication Process

Author

Nabil El Akkad, Khalid Satori, and Hamza Touil

Subjects

Authentication, business.industry, Computer science, Process (computing), Passphrase, Safety, Risk, Reliability and Quality, business, Rotation (mathematics), General Environmental Science, Computer network

Abstract

Passwords/passphrases can be either system generated or user-selected. A combination of both approaches is also possible—encryption created by the system and assigned to the user by the information system meeting the policy requirements. Policy rules can be designed to increase security and usability factors, such as information storage and retrieval. This paper proposes an algorithm dedicated to the security of passphrases in an online authentication, so the passphrase entered will be stored in a remote database. Through an SHA-3 hash function, the system must hash the pass phase. Before storage, the system must apply random rotations on the already generated HASH while eliminating any traceability performed on the different transactions performed. To prevent the hacker from using them recurrently if he wants to attack our database. Then the system must recover the real HASH and then the passphrase based on the data provided by the user in the form of codes.

Published

2020

12. Achieving secure and convenient WLAN sharing in personal

Author

Yan Zhicheng, Guo Jingjing, Jianfeng Ma, Zheng Yu, Chao Yang, Junwei Zhang, and You Wei

Subjects

Computer Networks and Communications, Computer science, Wireless network, business.industry, Network security, 020206 networking & telecommunications, Passphrase, Access control, 0102 computer and information sciences, 02 engineering and technology, Mutual authentication, Cryptographic protocol, Computer security, computer.software_genre, 01 natural sciences, law.invention, Evil twin, 010201 computation theory & mathematics, law, 0202 electrical engineering, electronic engineering, information engineering, Wi-Fi, business, computer, Software, Information Systems

Abstract

The authors analyse the security threats caused by personal wireless local area network (WLAN) sharing, propose schemes under two different conditions, and evaluate the performance of their schemes. WLAN is a widely used low-cost wireless networking technology. Most personal WLANs use the Wi-Fi-protected access II (WPA2)-personal to ensure robust security. Exposing the passphrase of WLAN is the only way to share it. Passphrase exposure can cause three threats, i.e. eavesdropping, evil twin attack, and resource abuse. This study addresses these threats by proposing two schemes under different device upgrade difficulties. For devices that are difficult to upgrade, their scheme only upgrades wireless routers. All WPA2-personal certified user devices can address these threats without any changes. For easy-upgrade and new devices, their scheme uses the attribute-based key exchange to address threats and provide ease of use, anonymity, and fine-grained access control. To solve the problem practically, they propose a mutual authentication method based on trust-on-first-use and a convenient attribute assignment method based on the existence of social information. The attribute authority already has numerous social information to provide services and cannot obtain more private information from participants in their scheme. The analysis shows that these proposed schemes are secure and practical.

Published

2020

13. VocalLock

Author

Yan Wang, Yingying Chen, Jiadi Yu, and Li Lu

Subjects

Spoofing attack, Biometrics, Computer Networks and Communications, business.industry, Computer science, 020206 networking & telecommunications, Passphrase, 02 engineering and technology, Human-Computer Interaction, User experience design, Hardware and Architecture, Human–computer interaction, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), 020201 artificial intelligence & image processing, business, Replay attack, Mobile device, Vocal tract

Abstract

Recent years have witnessed the surge of biometric-based user authentication for mobile devices due to its promising security and convenience. As a natural and widely-existed behavior, human speaking has been exploited for user authentication. Existing voice-based user authentication explores the unique characteristics from either the voiceprint or mouth movements, which is vulnerable to replay attacks and mimic attacks. During speaking, the vocal tract, including the static shape and dynamic movements, also exhibits the individual uniqueness, and they are hardly eavesdropped and imitated by adversaries. Hence, our work aims to employ the individual uniqueness of vocal tract to realize user authentication on mobile devices. Moreover, most voice-based user authentications are passphrase-dependent, which significantly degrade the user experience. Thus, such user authentications are pressed to be implemented in a passphrase-independent manner while being able to resist various attacks. In this paper, we propose a user authentication system, VocalLock, which senses the whole vocal tract during speaking to identify different individuals in a passphrase-independent manner on smartphones leveraging acoustic signals. VocalLock first utilizes FMCW on acoustic signals to characterize both the static shape and dynamic movements of the vocal tract during speaking, and then constructs a passphrase-independent user authentication model based on the unique characteristics of vocal tract through GMM-UBM. The proposed VocalLock can resist various spoofing attacks, while achieving a satisfactory user experience. Extensive experiments in real environments demonstrate VocalLock can accurately authenticate user identity in a passphrase-independent manner and successfully resist various attacks.

Published

2020

14. Security Analysis of Diceware Passphrases

Author

Nikoleta Georgieva and Petar Antonov

Subjects

Security analysis, business.industry, Computer science, Business intelligence, Process improvement, Diceware, Passphrase, Computer security, computer.software_genre, business, computer

Published

2020

15. System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies

Author

Boštjan Brumen

Subjects

Password, Authentication, Computer science, Applied Mathematics, Human memory, Passphrase, Password management, Mnemonic, Computer security, computer.software_genre, computer, Information Systems

Published

2020

16. Examining the Continuance of Secure Behavior: A Longitudinal Field Study of Mobile Device Authentication.

Author

Steinbart, Paul John, Keith, Mark J., and Babb, Jeffry

Subjects

DATA security, COMPUTER access control, COMPUTER passwords, MOBILE computing, USER interfaces, LONGITUDINAL method

Abstract

It is not enough to get information technology (IT) users to adopt a secure behavior. They must also continue to behave securely. Positive outcomes of secure behavior may encourage the continuance of that behavior, whereas negative outcomes may lead users to adopt less-secure behaviors. For example, in the context of authentication, login success rates may determine whether users continue to use a strong credential or switch to less secure behaviors (e.g., storing a credential or changing to a weaker, albeit easier to successfully enter, credential). Authentication is a particularly interesting security behavior for information systems researchers to study because it is affected by an IT artifact (the design of the user interface). Laptops and desktop computers use full-size physical keyboards. However, users are increasingly adopting mobile devices, which provide either miniature physical keypads or touchscreens for entering authentication credentials. The difference in interface design affects the ease of correctly entering authentication credentials. Thus, the move to use of mobile devices to access systems provides an opportunity to study the effects of the user interface on authentication behaviors. We extend existing process models of secure behaviors to explain what influences their (dis)continuance. We conduct a longitudinal field experiment to test our predictions and find that the user interface does affect login success rates. In turn, poor performance (login failures) leads to discontinuance of a secure behavior and the adoption of less-secure behaviors. In summary, we find that a process model reveals important insights about how the IT artifact leads people to (dis)continue secure behaviors. [ABSTRACT FROM AUTHOR]

Published

2016

17. Data Storage Encryption With Passphrase Using Hybrid Algorithm

Author

Neeraj Kaushik, Himanshu Gupta, and Mohammad Yawer Qadri

Subjects

business.industry, Computer science, law, Computer data storage, Hybrid cryptosystem, Passphrase, Electronics, USB, business, Encryption, Hybrid algorithm, Computer network, law.invention

Abstract

Security of the data is the utmost important in today's world scenario. To achieve completeprivacy of the data stored on various electronic devices like laptops, computers, external hard disk, USB drives etc. data storage encryption is needed to make the data more secure for any organization or any small offices. Encrypting the data provides a way out for the organization to keep a firm hold on their sensitive data or information. Intelligent devices like laptops and PC's are prone to security attacks resulting in the compromising the data. This problem can be solved by employing data encryption. Thought many encryption techniques are being used to make the data secure but a hybrid encryption algorithm should be used to make the data encryption more secure.

Published

2021

18. BUILD CRYPTOGRAPHIC SYSTEM FROM MULTI-BIOMETRICS USING MEERKAT ALGORITHM

Author

Abdul Abdul-hossen, Duha D. Salman, and Raghad A. Azeez

Subjects

Password, Key generation, Biometrics, lcsh:T, business.industry, Computer science, Advanced Encryption Standard, multi-biometrics, ear, eye, encryption, decryption, meerkat algorithm, Passphrase, Cryptography, Encryption, lcsh:Technology, Cipher, business, Algorithm

Abstract

Presenting uncouth proposal for the design of investigating ways to use extraction feature from biometric user,rather than memorable password or passphrase as an attempt to produce a new and randomly cipher keys. Human users find itdifficult to remember long cipher keys. Therefore, the proposed work takes the eye and ear as a multi-biometrics feature extraction forgenerating the cryptography keys. Meerkat Clan Key Generation Algorithm (MCKGA) is used in this work for key generation, firstlywe generate keys with 128-bits, then we enhance our method by generating 256-bits, and finally we mix the keys produced from (eyeand ear) and get robust key with 512-bits length, these keys are tested by NIST statically test to generate random keys used in encryptionprocess. Our approach generates unique keys used in cryptographic system by using Advanced Encryption Standard (AES) algorithm.

Published

2019

19. Biopen–Fusing password choice and biometric interaction at presentation level

Author

Genoveffa Tortora, Federico Ponzi, Federico Scozzafava, and Maria De Marsico

Subjects

Dynamic time warping, Spoofing attack, Biometrics, Biometric authentication, Computer science, Augmented pen, Dynamic writing recognition, 02 engineering and technology, 01 natural sciences, Artificial Intelligence, Handwriting, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Computer vision, 010306 general physics, Password, business.industry, Passphrase, Software, Signal Processing, 1707, 020201 artificial intelligence & image processing, Computer Vision and Pattern Recognition, Artificial intelligence, business, Word (computer architecture)

Abstract

The paper presents experiments with the home-made, low-cost prototype of a sensor-equipped pen for handwriting-based biometric authentication. The pen allows to capture the dynamics of user writing on normal paper, while producing a kind of password (passphrase) chosen in advance. The use of a word of any length instead of the user's signature makes the approach more robust to spoofing, since there is no repetitive pattern to steal. Moreover, if the template gets violated, this is much less harmful than signature catch. The entailed sensors are a pair of accelerometer and gyroscope and a pressure sensor. The aim is a natural yet precise interaction, that allows recognizing the user by the signals recorded while producing a specific word chosen during enrollment and possibly changed later. The pen can be exploited in a number of applications requiring user recognition, yet relieving from the need to learn complex procedures, and to undergo critical capture operations. The approach fuses the use of a kind of password, though not necessarily complex as those requested by traditional approaches, and biometric recognition. The novelty with respect to most proposals in literature is the combination of three elements at once: the matching of any handwritten text instead of user signature, the on-line capture of seven sensor signals to recognize handwriting dynamics (three from accelerometer, three from gyroscope and one from pressure sensor), and the use of normal paper instead of a digitizing tablet. Presented experiments test two different recognition techniques, implemented by two modules that can be alternatively plugged into the system. An SVM-based verification module entails to extract the most relevant features from writing dynamics, and to acquire a sufficient amount of enrolling data (30 samples per user) to train an SVM for each user. A pure Dynamic Time Warping (DTW) verification module does not require such training, and is tested using either a gallery with the same number of templates per user as those used for SVM training, or with a gallery containing a much lower number of templates per user (namely 5). Obtained results encourage further investigation of lightweight strategies for written password dynamics recognition.

Published

2019

20. ComPass: Proximity Aware Common Passphrase Agreement Protocol for Wi-Fi Devices Using Physical Layer Security

Author

Khan Reaz and Gerhard Wunder

Subjects

Authentication, business.industry, Computer science, Firmware, Physical layer, Provisioning, Passphrase, computer.software_genre, Compass, Scalability, business, computer, Protocol (object-oriented programming), Computer network

Abstract

Secure and scalable device provisioning is a notorious challenge in Wi-Fi. WPA2/WPA3 solutions take user interaction and a strong passphrase for granted. However, the often weak passphrases are subject to guessing attacks. Notably, there has been a significant rise of cyberattacks on Wi-Fi home or small office networks during the COVID-19 pandemic. This paper addresses the device provisioning problem in Wi-Fi (personal mode) and proposes ComPass protocol to supplement WPA2/WPA3. ComPass replaces the pre-installed or user-selected passphrases with automatically generated ones. For this, ComPass employs Physical Layer Security and extracts credentials from common random physical layer parameters between devices. Two major features make ComPass unique and superior compared to previous proposals: First, it employs phase information (rather than amplitude or signal strength) to generate the passphrase so that it is robust, scaleable, and impossible to guess. Our analysis showed that ComPass generated passphrases have 3 times more entropy than human generated passphrases (113-bits vs. 34-bits). Second, ComPass selects parameters such that two devices bind only within a certain proximity (\(\le \)3m), hence providing practically useful in-build PLS-based authentication. ComPass is available as a kernel module or as full firmware.

Published

2021

21. 'Hacking an IoT Home': New opportunities for cyber security education combining remote learning with cyber-physical systems

Author

Ian Johnson, Jonathan White, Thomas Higgs, Pennie Spruhan, and Philip A. Legg

Subjects

Outreach, Web server, Videoconferencing, Computer science, Distance education, Cyber-physical system, Robot, Passphrase, computer.software_genre, Computer security, computer, Hacker

Abstract

In March 2020, the COVID-19 pandemic led to a dramatic shift in educational practice, whereby home-schooling and remote working became the norm. Many typical schools outreach projects to encourage uptake of learning cyber security skills therefore were put on hold, due to the inability to physical attend and inspire. In this short paper, we describe a new approach to teaching cyber security with a view of inspiring a new generation of learners to the subject. Traditional Capture-The-Flag exercises are widely used in cyber security education, whereby a series of challenges are completed to gain access and obtain a passphrase from a computer system. We couple this approach with interactive sessions made possible via video conferencing platforms such as Microsoft Teams and Zoom, along with the very nature of being in the home environment, where home IoT devices are now commonplace. We develop an integrated CTF for the home IoT environment, where students can observe the impact of submitting flags via online video, to physical adjust the home environment - ranging from switching off lights, playing music, or controlling an IoT-enabled robot. The result is a highly interactive and engaging experience that benefits from the very nature of remote working, inspiring the notion of "hacking an IoT home".

Published

2021

22. A Private Key Recovery Scheme Using Partial Knowledge

Author

Fabian Kirstein, Kyriakos Stefanidis, and Har Preet Singh

Subjects

Authentication, business.industry, Computer science, Passphrase, Cryptography, Usability, Encryption, Computer security, computer.software_genre, Secret sharing, Personal cloud, Public-key cryptography, business, computer

Abstract

In this paper we explore the problem of secure handling of private keys in blockchain applications. We present a novel approach, named "Partial Knowledge Recovery Scheme" (PKRS), which allows for the recovery of an encrypted private key through the use of personal security questions. In PKRS, an individual is asked a set of questions, and the answers to those questions are used to encrypt the input and produce a secured private key. Through the use of Shamir’s secret sharing algorithm, the original private key can be recovered if the individual can answer correctly only a subset of the original questions. PKRS does not require any external services for the recovery process, since all the required information is stored within the secured private key itself. This approach tries to achieve a middle ground between security and usability. Security, where the private key needs to be encrypted and safely stored offline. Usability, where an individual wants to be able to recover their private key without the need of an easily forgotten passphrase and be able to store it in their personal cloud environments. We also discuss the correct design of personal security questions in social environments where an individual’s personal data can be mined through public records and social networks. Finally, we present a blockchain Self-sovereign Identity use case, which was used for the integration and evaluation of PKRS within a real-world application.

Published

2021

23. Enhancement of digital signature algorithm in bitcoin wallet

Author

Ali Makki Sagheer, Abdullah M. Awad, and Farah Maath Jasem

Subjects

Control and Optimization, Dictionary attack, Computer Networks and Communications, Computer science, Electronic cash, Computer security, computer.software_genre, Key management, Public-key cryptography, Digital Signature Algorithm, ECDSA, Computer Science (miscellaneous), Electrical and Electronic Engineering, Instrumentation, Key generation, business.industry, Elliptic Curve Digital Signature Algorithm, Passphrase, Wallets, Hardware and Architecture, Control and Systems Engineering, Privacy, business, computer, Bitcoin, Information Systems

Abstract

Bitcoin is a peer-to-peer electronic cash system largely used for online financial transactions. It gained popularity due to its anonymity, privacy, and comparatively low transaction cost. Its wallet heavily relies on Elliptic Curve Digital Signature Algorithm (ECDSA). Weaknesses in such algorithms can significantly affect the safety and the security of bitcoin wallets. In this paper, a secure key management wallet was designed based on several changes in the wallet parts. In the cold wallet, we employed an image-based passphrase to achieve a strong entropy source of master seed. The hot wallet, the proposed key_ Gen algorithm is modifying to the key generation step of the ECDSA that it is to generate a fresh key pair at each transaction. The final part ensures recovering all keys on both hot and cold wallets without daily backups in case of losing the wallet. The findings prove that the proposed cold wallet is resisting against a dictionary attack and overcoming the memorizing problem. The proposed hot wallet model acquires good anonymity and privacy for bitcoin users by eliminating transaction likability without additional cost. The execution time for signing a transaction of the proposed model is~70 millisecond, which is then important in the bitcoin domain.

Published

2021

24. Automated WPA2 Cracking Using Improved Dictionary and WPS Pin Attack

Author

P. P. Amritha, M. Sethumadhavan, and Aiswarya Ajay

Subjects

Cracking, Dictionary attack, Handshake, Exploit, Computer engineering, Computer science, Brute force, Point (geometry), Passphrase

Abstract

In this paper, an automated system is proposed to crack the WPA2 passphrase much efficiently. Two different schemes are introduced which can improve the dictionary attack and overcome the existing issues. Firstly, a method to validate the captured handshake is introduced. This helps to enhance the dictionary attack to retrieve the passphrase easily. Secondly, a design flaw in the WPS implementation is explained and used to exploit the same to crack the WPS pin. This attack is much efficient compared to existing methods. Moreover, the automated script which probes and intimates whether access point supports WPS. Access point which supports WPS will perform WPS pin attack and which does not support WPS undergoes improved dictionary attack and will obtain the passphrase.

Published

2021

25. A Novel Approach for AES Encryption–Decryption Using AngularJS

Author

Aman Rai and B. N. Arunakumari

Subjects

Plain text, business.industry, Programming language, Computer science, Advanced Encryption Standard, Plaintext, Passphrase, computer.file_format, Encryption, computer.software_genre, Cipher, Ciphertext, Key (cryptography), business, computer

Abstract

The goal of this paper is to implement a simple encryption–decryption web application that utilizes the facility provided by AngularJS. The advanced encryption standard (AES) algorithm is implemented using the methods from the CryptoJS library. This algorithm was chosen, as it is a U.S. Federal Information Processing Standard, which was selected after a thorough process, trumping 15 competing solutions. The advantages associated with using AngularJS include the fact that it is quick to learn a language. Furthermore, two-way data-binding capability means that developer intervention is not required for data binding. Developing powerful Web applications is made easier since AngularJS architecture separates data from design. Additionally, the developers must be familiar with the model-view-controller architecture to work efficiently with AngularJS. Plaintext or instances of CryptoJS.lib.word array library may be accepted as inputs. When a string is passed for a certain key, it is considered as the passphrase, which is subsequently used to derive the key. When it comes to the CipherText, strings, or CryptoJS.lib.CipherParams, instances are accepted. All strings passed are eventually converted to a CipherParams object. Coming to the cipher output, the plain text derived after the decryption process is a word array object. The CipherText returned is a CipherParams object, which gives access to the parameters used during encryption. Ample flexibility is provided, allowing various formats to be used. Essentially, a format is nothing but two-method objects—stringify and parse. This help converts CipherParams objects and CipherText strings. The practical implementation of the method involves downloading and installing NodeJS, AngularCLI, and Visual Studio code, the detailed explanation of which is elaborated under the proposed method section. AES algorithm performs well irrespective of the size of data to be encrypted as it has a big-O time complexity which is constant—O(1).

Published

2021

26. Passphrases Beat Thermal Attacks: Evaluating Text Input Characteristics Against Thermal Attacks on Laptops and Smartphones

Author

Mohamed Khamis, Yomna Abdelrahman, Amr El-Mougy, Reem Hatem, and Yasmeen Abdrabou

Subjects

Visual inspection, business.product_category, Touchscreen, Computer science, Human–computer interaction, law, Laptop, Passphrase, Text entry, Side channel attack, business, Beat (music), law.invention

Abstract

We investigate the effectiveness of thermal attacks against input of text with different characteristics; we study text entry on a smartphone touchscreen and a laptop keyboard. First, we ran a study (N = 25) to collect a dataset of thermal images of short words, websites, complex strings (special characters, numbers, letters), passphrases and words with duplicate characters. Afterwards, 20 different participants visually inspected the thermal images to attempt to identify the text input. We found that long and complex strings are less vulnerable to thermal attacks, that visual inspection of thermal images reveals different parts of the entered text (36% on average and up to 82%) even if the attack is not fully successful, and that entering text on laptops is more vulnerable to thermal attacks than on smartphones. We conclude with three learned lessons and recommendations to resist thermal attacks.

Published

2021

27. Passphrase Authentication and Individual Physiological Differences

Author

Michael-Brian Ogawa, Lila A. Loos, Martha E. Crosby, and Randall K. Minas

Subjects

Password, Authentication, Psychophysiology, Recall, Alphanumeric, business.industry, Computer science, Human–computer interaction, Usability, Passphrase, business, Cognitive load

Abstract

Computer passphrase authentication designed with usability consideration encourages memorability. This passphrase study suggests successful recollection using an assembly of meaningful word groups evidenced by individual physiological performance measurements. Participant data collected at the Hawaiʻi Interdisciplinary Neurobehavioral and Technology Lab (HINT) demonstrate physiological responses to passphrase decision making. The results from university students indicate psychophysiological influences predict passphrase characteristics. The repeated measures investigation of user-created and system-imposed passphrases contribute understanding toward user authentication selection that supports encoding and recalling a secret, unlike the current traditional password composed of alphanumeric and special characters. Passphrases constructed with usability considerations support security compliance requirements. This explanatory study employs pilot-tested passphrases designed to reveal predictive psychophysiological behavior. Overall results indicate user-created passphrases produce less cognitive load stressors on working memory than system-imposed passphrases. However, physiological measurements from heart rate, skin conductance, and the facial corrugator supercilii muscle signify a mixture of passphrase types that imply memorability. Study results suggest a platform for future passphrase design research of longer passwords that inform security access, improve memorability, and enhance usability evaluated by human-centered performance.

Published

2021

28. Non-linguistic systems as a way to make a password secure but memorable

Author

Vorotnikova, Victoria and Karlin, Sergey

Subjects

ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Password, Entropy, Cyber Attacks, Symbol Systems, Reliability, Passphrase, Cryptographic Strength

Abstract

This article is based on the study of ways to create a secure password by integrating symbols from non-linguistic sign systems, in order to combine cryptographic strength and ease of memorization. This is relevant, as the old ways of complicating the password become obsolete, in view of their triviality and, as a result, susceptibility to hacking. Our research is based on the use of a system of symbols from various fields of interest (chemistry, programming, music, etc.) in the password. We take into account the individual preferences of users, so that it would be easier for them to build an associative chain when remembering a password, and also considered the susceptibility of passwords obtained using the password techniques we proposed to the most common cyber-attacks. The respondents created one password on their own, and the second with the help of the proposed methods. The complexity and security of the password was estimated in terms of entropy, as well as using specialized programs. Using the proposed methods reduced the number of insecure keys., Technology and Language, 2(1), 98-121

Published

2021

29. User-Side Password Authentication: A Study.

Author

Sarga, Libor and Jašek, Roman

Abstract

Researchers have for a time been struggling to change inert mindset of users regarding passwords as a response to advances in processing power, emergence of highly-scalable computing models, and attackers prioritizing human element for attacks. Recommendations regarding security are ignored as documented by recent corporate database breaches and releases of unencrypted password caches which corroborated lacking security awareness in vast majority of Internet users. In order to educate users about computer security, terms such as hashing, cipher systems and their weaknesses, brute-force attacks, social engineering, multi-factor authentication, and balance between usability and ease of use must be clearly explained. However, academia tend to focus on areas requiring deep mathematical or programmatic background, clear communication of these security elements while minimizing scientific rigor thus remains challenging. The article aims to provide a concise, comprehensive research overview and outline of authentication, including information entropy, hashing algorithms, reverse password engineering, importance of complexity and length in passwords, general-purpose attacks such as brute-force and social engineering as well as specialized ones, namely side-channel interception. Novel ways of increasing security by utilizing two- and multi-factor authentication, visual passwords, pass phrases, mnemonic-based strings will be considered as well along with their advantages over the traditional textual password model and pitfalls for their widespread propagation. In particular, we hypothesize that technological developments allow vendors to offer solutions which limit unauthorized third parties from gaining windows of opportunity to exploit weaknesses in the authentication schemes. However, as infrastructure becomes more resilient, attackers shift their focus towards human-based attacks (social engineering, social networking). Due to largely unchanging short-term behavior patterns, institutions need to lecture employees over extended periods about being vigilant to leaks of procedural and organizational information which may help attackers bypass perimeter-level security measures. We conclude the article by listing emerging threats in the field, specifically social networks-distributed malware and mobile devices targeting. [ABSTRACT FROM AUTHOR]

Published

2012

30. VibLive: A Continuous Liveness Detection for Secure Voice User Interface in IoT Environment

Author

Sheng Tan, Linghan Zhang, Jie Yang, Yili Ren, Zi Wang, and Zhi Wang

Subjects

021110 strategic, defence & security studies, Authentication, Spoofing attack, Computer science, Liveness, 0211 other engineering and technologies, Passphrase, 02 engineering and technology, Voice command device, Computer security, computer.software_genre, Voice user interface, Secure voice, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, User interface, computer

Abstract

The voice user interface (VUI) has been progressively used to authenticate users to numerous devices and applications. Such massive adoption of VUIs in IoT environments like individual homes and businesses arises extensive privacy and security concerns. Latest VUIs adopting traditional voice authentication methods are vulnerable to spoofing attacks, where a malicious party spoofs the VUIs with pre-recorded or synthesized voice commands of the genuine user. In this paper, we design VibLive, a continuous liveness detection system for secure VUIs in IoT environments. The underlying principle of VibLive is to catch the dissimilarities between bone-conducted vibrations and air-conducted voices when human speaks for liveness detection. VibLive is a text-independent system that verifies live users and detects spoofing attacks without requiring users to enroll specific passphrases. Moreover, VibLive is practical and transparent as it requires neither additional operations nor extra hardwares, other than a loudspeaker and a microphone that are commonly equipped on VUIs. Our evaluation with 25 participants under different IoT intended experiment settings shows that VibLive is highly effective with over 97% detection accuracy. Results also show that VibLive is robust to various use scenarios.

Published

2020

31. Investigation of Informativeness and Stability of Mel-Frequency Cepstral Coefficients Estimates Based on Voice Signal Phase Data of Authentication System User

Author

Mykola Pastushenko, Yana Krasnozheniuk, and Maksym Zaika

Subjects

Support vector machine, Authentication, Formant, Biometrics, Computer science, Speech recognition, Passphrase, Mel-frequency cepstrum, Hidden Markov model, Mixture model

Abstract

The problems of increasing the reliability of using various resources, access to which is carried out by means of infocommunication networks, are considered. It is known that the first barrier in ensuring high reliability of access is a high-quality user authentication system. Currently preference is given to access systems based on biometric characteristics of a user. Initially, the priority was given to static biometric characteristics of a user (face image, finger papillary picture and iris). These biometric features did not meet the expectations of developers and users due to the simplicity of their forgery. At present, the main attention of developers is focused on implementation of dynamic (behavioral) biometric features of users and, first of all, voice authentication systems. Voice authentication systems have a number of significant advantages: simplicity, compactness, low cost, and a number of others. It is also important that the user's passphrase can be quickly changed and extended in the process of voice authentication. The quality indicators of voice authentication systems, like all biometric access systems, do not meet the increasing requirements. In the process of voice authentication, the amplitude-frequency spectrum of the recording materials is analyzed. The main efforts of researchers are focused on using estimates of the pitch frequency and formant frequencies associated with it, cepstral coefficients, mel-frequency cepstral coefficients, and linear prediction coefficients as a user template. Some attention is paid to decision-making procedures based on Gaussian Mixture Model, Support Vector Machine, and Hidden Markov Models or artificial neural networks. In the presented work, it is proposed to supplement the analysis of the amplitude-frequency spectrum with studies of phase data, which is currently receiving less focus in the process of voice authentication. The results of research on estimates of pitch frequency and mel-frequency cepstral coefficients based on the amplitude and phase information of the voice signal are presented. The purpose of this work is to analyze the informativeness of phase data of a voice signal, as well as to study the stability of estimates of the user's template and, first of all, mel-frequency cepstral coefficients calculated from the phase data. The studies performed have shown high informativeness and stability of the investigated estimates, which emphasizes the importance of the phase information of the voice signal for improving quality characteristics of voice authentication systems.

Published

2020

32. A Secure Session Key Negotiation Scheme in WPA2-PSK Networks

Author

Yujun Zhang, Hanwen Zhang, Miao Wang, and Guo Jiang

Subjects

Authentication, Computer science, business.industry, Eavesdropping, Passphrase, Encryption, Wireless security, Session key, Key (lock), Session (computer science), Elliptic curve cryptography, business, Security level, Computer network, Cryptographic nonce

Abstract

Wi-Fi Protected Access II Pre-Shared Key (WPA2-PSK) is a hot way to wireless security in public Wi-Fi networks. It works on a pre-configured passphrase shared with all stations in the same Wi-Fi network. Session keys (e.g., Pairwise Transient Key, PTK) between stations and the access point (AP) are derived from the passphrase. The WPA2-PSK networks can authenticate external stations, however, they fail to guarantee confidential communication if internal attackers own the passphrase in the network since all stations derive their PTK using the same passphrase. To prevent internal stations from eavesdropping the PTK, a secure session key negotiation scheme in WPA2-PSK Networks (SSKNS) is proposed. We introduce a temporary session key (TSK), which is encrypted using elliptic curve cryptography (ECC) and exchanged securely between the station and the AP in the Wi-Fi association process. Through AES algorithm with TSK, the station encrypts its own nonce used to generate the unique PTK in the 4-way process. Our scheme neither modifies the legacy process related to PTK generation nor adds plethoric overhead on excessive protection of all messages. Security analysis and simulations performed in NS-3 demonstrate that by consuming a few computation overheads, SSKNS can effectively provide security level, compared with the existing schemes.

Published

2020

33. FridgeLock

Author

Manuel Andreas, Manuel Huber, and Fabian Franzen

Subjects

021110 strategic, defence & security studies, Software_OPERATINGSYSTEMS, business.industry, Computer science, 0211 other engineering and technologies, Data theft, Linux kernel, Passphrase, 02 engineering and technology, Encryption, computer.software_genre, Data access, Disk encryption, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Operating system, Key (cryptography), business, computer, Reboot

Abstract

To secure mobile devices, such as laptops and smartphones, against unauthorized physical data access, employing Full Disk Encryption (FDE) is a popular defense. This technique is effective if the device is always shut down when unattended. However, devices are often suspended instead of switched off. This leaves confidential data such as the FDE key, passphrases and user data in RAM which may be read out using cold boot, JTAG or DMA attacks. These attacks can be mitigated by encrypting the main memory during suspend. While this approach seems promising, it is not implemented on Windows or Linux. We present FridgeLock to add memory encryption on suspend to Linux. Our implementation as a Linux Kernel Module (LKM) does not require an admin to recompile the kernel. Using Dynamic Kernel Module Support (DKMS) allows for easy and fast deployment on existing Linux systems, where the distribution provides a prepackaged kernel and kernel updates. We tested our module on a range of 4.19 to 5.3 kernels and experienced a low performance impact, sustaining the system's usability. We hope that our tool leads to a more detailed evaluation of memory encryption in real world usage scenarios.

Published

2020

34. Cognitive Variability Factors and Passphrase Selection

Author

Martha E. Crosby, Michael-Brian Ogawa, and Lila A. Loos

Subjects

Password, 021110 strategic, defence & security studies, Recall, business.industry, media_common.quotation_subject, 0211 other engineering and technologies, Passphrase, Usability, Cognition, 02 engineering and technology, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Personality, Association (psychology), business, Psychology, Categorical variable, Cognitive psychology, media_common

Abstract

Security policies require a secret code to access electronic information. Challenges exist between the usability and memorability of passwords. This study spotlights individualistic behavioral assimilation of passphrase styles for design insight and recall abilities. Data captured categorical authentication behavior toward enhanced usability outcomes. Validated locus of control personality and memory associative instruments demonstrated the internal and external personality types and cognitive response types that contribute to the systematic quest toward a more memorable passphrase scheme. Personalized criteria contributed to practical evaluation employing a repeated measures structure. This study tested 58 participants who successfully completed a passphrase survey consisting of four rulesets applied to imposed and user created passphrases designed for repeated measures. Although electrophysiological data was collected, it was not analyzed in time for this publication. Results indicate that memory associative factors of cognition represent a significant factor in the recall of 75% of imposed passphrase category types. The locus of control and memory associative variables are significant at the .05 level. Internally controlled participants preferred the created room objects and created no vowel passphrases. Additionally, the created room objects and animal association passphrases ranked the highest among the externally controlled subjects. The imposed passphrases constructed without vowels and associated with animals received the least recall. This descriptive study informs passphrase usability identifying cognitive demands that impact memory.

Published

2020

35. Integrating Visual Mnemonics and Input Feedback With Passphrases to Improve the Usability and Security of Digital Authentication

Author

Joel S. Greenstein and Kevin A. Juang

Subjects

Adult, Computer science, Human Factors and Ergonomics, Mnemonic, Login, computer.software_genre, 050105 experimental psychology, User-Computer Interface, Behavioral Neuroscience, Human–computer interaction, Usability engineering, Humans, 0501 psychology and cognitive sciences, Computer Security, 050107 human factors, Applied Psychology, Password, Authentication, Multimedia, business.industry, 05 social sciences, Passphrase, Usability, Authentication system, Mental Recall, business, computer

Abstract

Objective: We developed a new authentication system based on passphrases instead of passwords. Our new system incorporates a user-generated mnemonic picture displayed during login, definition tooltips, error correction to reduce typographical errors, a decoy-based input masking technique, and random passphrase generation using either a specialized wordlist or a sentence template. Background: Passphrases exhibit a greater level of security than traditional passwords, but their wider adoption has been hindered by human factors issues. Our assertion is that the added features of our system work particularly well with passphrases and help address these shortcomings. Method: We conducted a study to evaluate our new system with a customized 1,450-word list and our new system with a 6-word sentence structure against the control conditions of a user-created passphrase of at least 24 characters and a system-generated passphrase using a 10,326-word list. Fifty participants completed two sessions so that we could measure the usability and security of the authentication schemes. Results: With the new system conditions, memorability was improved, and security was equivalent to or better than the control conditions. Usability and overall ratings also favored the new system conditions over the control conditions. Conclusion: Our research presents a new authentication system using innovative techniques that improve on the usability and security of existing password and passphrase authentication systems. Application: In computer security, drastic changes should never happen overnight, but we recommend that our contributions be incorporated into current authentication systems to help facilitate a transition from passwords to usable passphrases.

Published

2018

36. DPPG: A Dynamic Password Policy Generation System

Author

Raheem Beyah, Shukun Yang, and Shouling Ji

Subjects

Password, 021110 strategic, defence & security studies, Password policy, Zero-knowledge password proof, Software_OPERATINGSYSTEMS, Cognitive password, Computer Networks and Communications, Salt (cryptography), Computer science, 0211 other engineering and technologies, Password cracking, Passphrase, 02 engineering and technology, Adversary, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, 020201 artificial intelligence & image processing, Safety, Risk, Reliability and Quality, computer

Abstract

To keep password users from creating simple and common passwords, major websites and applications provide a password-strength measure, namely a password checker. While critical requirements for a password checker to be stringent have prevailed in the study of password security, we show that regardless of the stringency, such static checkers can leak information and actually help the adversary enhance the performance of their attacks. To address this weakness, we propose and devise the Dynamic Password Policy Generator , namely DPPG , to be an effective and usable alternative to the existing password strength checker. DPPG aims to enforce an evenly-distributed password space and generate dynamic policies for users to create passwords that are diverse and that contribute to the overall security of the password database. Since DPPG is modular and can function with different underlying metrics for policy generation, we further introduce a diversity-based password security metric that evaluates the security of a password database in terms of password space and distribution. The metric is useful as a countermeasure to well-crafted offline cracking algorithms and theoretically illustrates why DPPG works well.

Published

2018

37. PERSPECTIVE NEURAL NETWORK ALGORITHMS FOR DYNAMIC BIOMETRIC PATTERN RECOGNITION IN THE SPACE OF INTERDEPENDENT FEATURES

Author

Alexey E. Sulavko, Grigory A. Fofanov, and Samal S. Zhumazhanova

Subjects

Password, Artificial neural network, Biometrics, Computer science, Intersection (set theory), business.industry, Deep learning, Bayesian probability, Pattern recognition, Passphrase, 02 engineering and technology, 01 natural sciences, 010309 optics, ComputingMethodologies_PATTERNRECOGNITION, 0103 physical sciences, Pattern recognition (psychology), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business

Abstract

A model of neurons for biometric authentication, capable of efficient processing of highly dependent features, based on the agreement criteria (Gini, Сramer-von-Mises, Kolmogorov-Smirnov, the maximum of intersection areas of probability densities) is proposed. An experiment was performed on comparing the efficiency of neurons based on the proposed model and neurons on the basis of difference and hyperbolic Bayesian functionals capable of processing highly dependent biometric data. Variants of construction of hybrid neural networks, that can be trained on a small number of examples of a biometric pattern (about 20), are suggested. An experiment was conducted to collect dynamic biometric patterns, in the experiment 90 people entered handwritten and voice patterns during a month. Intermediate results on recognition of subjects based on hybrid neural networks were obtained. Number of errors in verification of a signature (handwritten password) was less than 2%, verification of a speaker by a fixed passphrase was less than 6%. The testing was carried out on biometric samples, obtained after some time period after the formation of training sample.

Published

2018

38. Enhanced PKI authentication with trusted product at claimant

Author

Asahiko Yamada and Tatsuro Ikeda

Subjects

General Computer Science, Computer science, Data_MISCELLANEOUS, 02 engineering and technology, Computer security, computer.software_genre, Authentication server, Public-key cryptography, Digital signature, Generic Bootstrapping Architecture, Lightweight Extensible Authentication Protocol, 0202 electrical engineering, electronic engineering, information engineering, Data Authentication Algorithm, 060201 languages & linguistics, Authentication, business.industry, Passphrase, Public key infrastructure, 06 humanities and the arts, Authentication (law), ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, 0602 languages and literature, 020201 artificial intelligence & image processing, Smart card, business, Law, computer, Computer Science(all)

Abstract

A data structure to enhance PKI (Public Key Infrastructure) authentication is proposed.With the data structure, the PKI authentication server can distinguish the execution environment of PKI authentication.The proposal covers all of the use cases of private key, activated with passphrase or biometrics, generated with biometrics. In this paper, a data structure to enhance PKI (Public Key Infrastructure) authentication is proposed generalizing the concept of ISO/IEC 24761. Current technologies do not provide sufficient information on products which are used in the authentication process at the Claimant to the Verifier. As a result, the Verifier cannot sufficiently distinguish the authentication result executed with a trusted product from that without a trusted product. The difference is made clear if evidence data of the execution of authentication process at the Claimant are generated by the trusted product and used for verification by the Verifier. Data structure for such data is proposed in this paper as client Authentication Context (cAC) instance. Relation to other works and extension of the proposal where biometrics is used are also described for further improvement of PKI authentication. For this proposal to realize, standardization activities are to be considered as the next steps.

Published

2017

39. A novel secure and efficient hash function with extra padding against rainbow table attacks

Author

Sunghyuck Hong, Jungpil Shin, and Hyung-Jin Mun

Subjects

Zero-knowledge password proof, Computer Networks and Communications, Salt (cryptography), Computer science, computer.internet_protocol, Crypt, Hash function, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Padding, Password strength, S/KEY, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Syskey, Key derivation function, Password psychology, Password, Authentication, Password policy, Cognitive password, Pass the hash, Password cracking, 020206 networking & telecommunications, Passphrase, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Hash chain, 020201 artificial intelligence & image processing, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer, Software

Abstract

User authentication is necessary to provide services on an application system and the Internet. Various authentication methods are used such as ID/PW, biometric, and OTP authentications. One of the popular authentications is ID/PW authentication. As an inputted password is transferred by one-way hash function and then stored in DB, it is difficult for the DB administrator to figure out the password inputted by the user. However, when DB is leaked, and there is the time to decode, the password can be hacked. The time and cost to decode the original message from the hash value corresponding a short password decrease. Therefore, if the password is short, then attacking cost is low, and password crack possibility is high. In the case where an attacker utilizes pre-computing rainbow tables, and the hash value of short passwords is leaked, the password that the user inputted can be cracked. In this research, to block rainbow table attacks, when the user generates a short password, by adding additional messages of identification information of a system or the user and extending the length of the password, we try to resolve the vulnerability of short passwords. By proposing a model to minimize the length of the password and the authority accordingly in mobile devices on which inputting passwords is not easy, we take security into consideration. Our proposal model is strong against rainbow table attack and provides efficient password system to users. It contributes to resolving password vulnerability and upgrades mobile users’ convenience in typing passwords.

Published

2017

40. Process Memory Investigation of the Bitcoin Clients Electrum and Bitcoin Core

Author

Luuc Van Der Horst, Nhien-An Le-Khac, and Kim-Kwang Raymond Choo

Subjects

Cryptocurrency, General Computer Science, Computer science, Internet privacy, electrum forensics, 02 engineering and technology, Computer security, computer.software_genre, Public-key cryptography, 03 medical and health sciences, 0302 clinical medicine, 0202 electrical engineering, electronic engineering, information engineering, Ransomware, General Materials Science, 030216 legal & forensic medicine, cryptocurrency forensics, Digital forensics, business.industry, General Engineering, bitcoin forensics, Passphrase, Core (game theory), Ransom, Digital currency, 020201 artificial intelligence & image processing, bitcoin client, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, bitcoin core, Transaction data, computer, lcsh:TK1-9971

Abstract

Bitcoin cryptocurrency is reportedly one widely used digital currency in criminal activities (e.g. used for online purchases of illicit drugs and paying of ransom in ransomware cases). However, there has been limited forensic research of bitcoin clients in the literature. In this paper, the process memory of two popular bitcoin clients, bitcoin Core and electrum, is examined with the aims of identifying potential sources and types of potential relevant data (e.g. bitcoin keys, transaction data and passphrases). Artefacts obtained from the process memory are also studied with other artefacts obtained from the client device (application files on disk and memory-mapped files and registry keys). Findings from this study suggest that both bitcoin Core and electrum’s process memory is a valuable source of evidence, and many of the artefacts found in process memory are also available from the application and wallet files on the client device (disk).

Published

2017

41. Thought-Based Authenticated Key Exchange

Author

Phillip H. Griffin

Subjects

Password, Authentication, Computer science, business.industry, Passphrase, Shared secret, Computer security, computer.software_genre, Authenticated Key Exchange, Symmetric-key algorithm, business, computer, Secure channel, Key exchange

Abstract

Identity authentication techniques based on password-authenticated key exchange (PAKE) protocols rely on weak secrets shared between users and host systems. In PAKE, a symmetric key is derived from the shared secret, used to mutually authenticate communicating parties, and then used to establish a secure channel for subsequent communications. A common source of PAKE weak secrets are password and passphrase strings. Though easily recalled by a user, these inputs typically require keyboard entry, limiting their utility in achieving universal access. This paper describes authentication techniques based on weak secrets derived from knowledge extracted from biometric sensors and brain-actuated control systems. The derived secrets are converted into a format suitable for use by a PAKE protocol. When combined with other authentication factors, PAKE protocols can be extended to provide strong, two-factor identity authentication that is easy to use by persons living in assistive environments.

Published

2019

42. Classification Performance Improvement of Keystroke Data

Author

Mehmet Erdal Özbek

Subjects

Biometrics, Computer science, business.industry, Passphrase, Machine learning, computer.software_genre, Keystroke logging, ComputingMethodologies_PATTERNRECOGNITION, Training phase, Artificial intelligence, Performance improvement, business, computer, Classifier (UML)

Abstract

In this work, the classification of keystroke data, a behavioral biometrics modality, is investigated. The users degrading the overall classification performance are identified by classifying two different databases composed of different number of individuals and passphrases. The improvement in performance is demonstrated by eliminating those users in the training phase of the classifier.

Published

2019

43. Keystroke based User Identification with XGBoost

Author

P. Sai Ravi Teja, Harshal Jaiswal, Vadlamani Ravi, and Gutha Jaya Krishna

Subjects

Password, Boosting (machine learning), Artificial neural network, Biometrics, Computer science, business.industry, Passphrase, 02 engineering and technology, Machine learning, computer.software_genre, Keystroke logging, Statistical classification, ComputingMethodologies_PATTERNRECOGNITION, Keystroke dynamics, 020204 information systems, Multilayer perceptron, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, computer

Abstract

User identification or recognition based on keystrokes is the ability of the system to recognise or identify the persons or users who type the username, passphrase or password with a specific keystroke behaviour patterns. Therefore, user identification problem based on the keystroke behaviour patterns is posed as a multi-class classification problem, where some standard multi-class machine learning techniques identify multiple users. In this paper, we employed Extreme Gradient Boosting (XGBoost) technique for user identification in the context of behavioral biometrics using the keystroke dynamics features. Multiple users from CMU's keystroke dynamics dataset are analysed using Machine Learning (ML) Techniques such as the XGBoost, Multinomial Logistic Regression, Random Forest, Probabilistic Neural Network, Decision Tree, Multinomial Naive Bayes and a Multilayer Perceptron. The performance measure utilised for the user identification problem is accuracy. We observed that XGBoost produced the highest accuracy for user identification. We also performed statistical paired t-Test at 1% level of significance on the techniques employed for the user identification task. Therefore, our results were corroborated statistically too.

Published

2019

44. Heresy: A Serverless Web Application to Store Compressed and Encrypted Document in the Form of URL

Author

Gottfried Prasetyadi, Rina Refianti, Aries Muslim, Utomo Tri Hantoro, and Achmad Benny Mutiara

Subjects

Triple DES, Markup language, Information retrieval, business.industry, Computer science, Cryptography, Passphrase, Data_CODINGANDINFORMATIONTHEORY, RC4, Encryption, computer.software_genre, Web application, business, computer, Markdown

Abstract

In this study, we propose Heresy, a web application to generate a document that solely exists in the form of a Uniform Resource Locator (URL) fragment. That document is compressed using Lempel-Ziv-Markov algorithm (LZMA) and encrypted using one of four symmetric-key cryptography algorithms: AES, Rabbit, RC4, and Triple DES. This allows a user to create a secured document using markdown markup language, and then share or save the generated URL. In order to view the document, a valid passphrase is needed. All operations are performed in the client machine (serverless). We analyzed the capability and performance of Heresy in several devices to find out the best cryptography algorithm to secure a document.

Published

2019

45. Specifics of Receiving and Processing Phase Information in Voice Authentication Systems

Author

Viacheslav Pastushenko, Oleksandr Pastushenko, and Mykola Pastushenko

Subjects

Authentication, Biometrics, Computer science, Process (engineering), Reliability (computer networking), Passphrase, Mel-frequency cepstrum, Data mining, Object (computer science), Hidden Markov model, computer.software_genre, computer

Abstract

The issues of improving the reliability of storing various resources, access to which is carried out using telecommunication networks, are considered. In this case, the first barrier in ensuring access reliability is the user authentication system. Lately, access systems based on biometric features of a user have been used. Initially, static biometric features of a user (facial image, finger papillary pattern and iris) were preferable, which did not meet the expectations of developers and users due to the simplicity of their falsification. Recently, the preference has been given to the dynamic (behavioral) biometric features of a user, namely voice authentication systems became more widely used. As it is known, voice authentication systems have several advantages, such as: simplicity, convenience, compactness, low cost, and a number of others. In addition, the passphrase can be quickly changed and expanded during the authentication process. However, the quality indicators of all biometric access systems do not meet the increasing requirements. The object of the study is the process of digital processing of voice signal during user authentication in access systems.In the process of voice authentication, the analysis of the amplitude-frequency spectrum of recording materials is performed. At the same time, the main research focuses on the use of estimates of formants, cepstral coefficients, mel-frequency cepstral coefficients, linear prediction coefficients, etc. as a user’s template. On the basis of user’s established patterns, admission decisions are made using Gaussian Mixture Models, Support Vector Machines, Hidden Markov Models or artificial neural networks.In the report, it is proposed to change the paradigm of digital processing of user voice signals and supplement the analysis of the amplitude-frequency spectrum with studies of phase data, which are traditionally ignored during the authentication. According to the authors, the latter is caused by the lack of effective procedures for the formation of phase data, the requirement of additional computational resources, which were not always available to researchers, and some features using the signal phase.

Published

2019

46. Geographic Hints for Passphrase Authentication

Author

Alaadin Addas, Julie Thorpe, and Amirali Salehi-Abari

Subjects

021110 strategic, defence & security studies, Root (linguistics), Authentication, Information retrieval, Recall, Computer science, business.industry, 05 social sciences, 0211 other engineering and technologies, Usability, Passphrase, 02 engineering and technology, Login, Selection (linguistics), Systems design, 0501 psychology and cognitive sciences, business, 050107 human factors

Abstract

We propose and study the use of geographic hints to aid memorability of passphrase-style authentication secrets. Geographic hints are map locations that are selected by the user at the time of passphrase creation, and shown to the user as a hint at the time of passphrase login. We implement the GeoHints system and analyze how geographic hints impact the usability and security of passphrase-style secrets in a multi-session user study (n=38). The study involved testing for multiple passphrase interference-each participant was asked to recall 4 distinct passphrases. Our study indicates that while geographic hints showed promise for reducing memory interference, GeoHints (as implemented) does not produce a viable authentication system, as the login success rate was 25% 7–11 days after passphrase selection. We analyze the root causes of login errors, finding that most were due to inexact recall of free-form text input. This finding points towards opportunities to improve the system design, and we suggest improvements that we believe will lead to viable systems that employ geographic hints.

Published

2019

47. Speech Based Human Authentication on Smartphones

Author

Wei Wang, Jiajun Sun, Alex X. Liu, Kang Ling, and Haipeng Dai

Subjects

Authentication, Biometrics, Computer science, Speech recognition, 020206 networking & telecommunications, Passphrase, 02 engineering and technology, Feature (linguistics), 030507 speech-language pathology & audiology, 03 medical and health sciences, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Mel-frequency cepstrum, 0305 other medical science, Replay attack, Vocal tract

Abstract

Voice has been used as biometrics for human authentication because different people have different voice characteristics due to different vocal tract shapes and intonations. However, traditional voice based human authentication is subject to four types of attacks: impersonation, voice conversion, synthesis and voice replay. In this paper, we propose SpeakPrint, an ultrasound based human speech authentication scheme for smartphones which is resistant for these attacks. Compared with traditional speech authentication system which focuses on what a user speaks, SpeakPrint captures how a user speaks by recording mouth and vocal movement through ultrasound signal at the same time. Our key insight is that for the valid user, features extracted from voice signal should be consistent with his mouth and vocal movement recorded from ultrasound signal, while an imitator or an audio player can’t produce the same signals in ultrasound domain. SpeakPrint extracts MFCC feature in normal voice frequency and MMSI features from ultrasound signal. An SVM classifier is trained to detect these attacks by comparing above feature differences. We implemented SpeakPrint on Samsung S5 and conducted experiments on 40 users. Experimental results show that SpeakPrint can detect replay attacks with 100% accuracy and replay attack with lip synching for 99.12% for passphrases longer than five words. This technology can be used in multi-factor authentication systems, where multiple authentication mechanisms are used to achieve defense in depth.

Published

2019

48. Passquerade

Author

Zhe Li, Mohamed Khamis, Tobias Seitz, Alice Nguyen, Mario Schneller, and Leonhard Mertl

Subjects

Password, Authentication, Computer science, Plain text, 05 social sciences, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, 020207 software engineering, Passphrase, 02 engineering and technology, computer.file_format, Masking (Electronic Health Record), Human–computer interaction, Shoulder surfing, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, Error detection and correction, Mobile device, computer, 050107 human factors

Abstract

Entering text passwords on mobile devices is a significant challenge. Current systems either display passwords in plain text: making them visible to bystanders, or replace characters with asterisks shortly after they are typed: making editing them harder. This work presents a novel approach to mask text passwords by distorting them using graphical filters. Distorted passwords are difficult to observe by attackers because they cannot mentally reverse the distortions. Yet passwords remain readable by their owners because humans can recognize visually distorted versions of content they saw before. We present results of an online questionnaire and a user study where we compared Color-halftone, Crystallize, Blurring, and Mosaic filters to Plain text and Asterisks when 1) entering, 2) editing, and 3) shoulder surfing one-word passwords, random character passwords, and passphrases. Rigorous analysis shows that Color-halftone and Crystallize filters significantly improve editing speed, editing accuracy and observation resistance compared to current approaches.

Published

2019

49. Evaluation of Peer Robot Communications using CryptoROS

Author

Nor Samsiah Sani, Roham Amini, Afzan Adam, Abdul Hadi Abd Rahman, and Rossilawati Sulaiman

Subjects

0209 industrial biotechnology, General Computer Science, Computer science, business.industry, Passphrase, 02 engineering and technology, Computer security, computer.software_genre, Encryption, Public-key cryptography, Certificate signing request, 020901 industrial engineering & automation, Certificate authority, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), 020201 artificial intelligence & image processing, business, computer

Abstract

The demand of cloud robotics makes data encryp-tion essential for peer robot communications. Certain types of data such as odometry, action controller and perception data need to be secured to prevent attacks. However, the introduction of data encryption caused increment of overhead for data stream communication. This paper presents an evaluation of CryptoROS architecture on Robot Operating System (ROS) which focused on peer-to-peer conversations between nodes with confidentiality and integrity violation. OpenSSL is used to create a private key and generate a Certificate Signing Request (CSR) that contains public key and a signature. The CSR is submitted to a Certificate Authority (CA) to chain the root CA certificate and encryption of RSA private key with AES-256 and a passphrase. The protected private key are securely backed up, transported, and stored. Experiments were carried out multiple times with and without the proposed protocol intervention to assess the performance impact of the Manager. The results for different number of messages transmitted each time increased from 100, 250 to 500 with performance impact 1.7%, 0.5% and 0.2%, respectively. It is concluded that CryptoROS capable of protecting messages and service requests from unauthorized intentional alteration with authenticity verification in all components.

Published

2019

50. Voice Presentation Attack Detection Using Convolutional Neural Networks

Author

Milos Cernak, Sridha Sridharan, Petr Motlicek, Clinton Fookes, Srikanth Madikeri, Ivan Himawan, Marcel, S., Nixon, M.S., Fierrez, J., and Evans, N.

Subjects

080000 INFORMATION AND COMPUTING SCIENCES, Spoofing attack, Computer science, business.industry, Speech recognition, Reliability (computer networking), Deep learning, 090000 ENGINEERING, anzsrc Australian and New Zealand Standard Research Class, 080100 ARTIFICIAL INTELLIGENCE AND IMAGE PROCESSING, Passphrase, Overfitting, Convolutional neural network, voice anti-spoofing, replay attacks, 090600 ELECTRICAL AND ELECTRONIC ENGINEERING, 090609 Signal Processing, convolutional neural networks, Code (cryptography), 080199 Artificial Intelligence and Image Processing not elsewhere classified, asvspoof, Artificial intelligence, business, Replay attack, 080109 Pattern Recognition and Data Mining

Abstract

Current state-of-the-art automatic speaker verification (ASV) systems are prone to spoofing. The security and reliability of ASV systems can be threatened by different types of spoofing attacks using voice conversion, synthetic speech, or recorded passphrase. It is therefore essential to develop countermeasure techniques which can detect such spoofed speech. Inspired by the success of deep learning approaches in various classification tasks, this work presents an in-depth study of convolutional neural networks (CNNs) for spoofing detection in automatic speaker verification (ASV) systems. Specifically, we have compared the use of three different CNNs architectures: AlexNet, CNNs with max-feature-map activation, and an ensemble of standard CNNs for developing spoofing countermeasures, and discussed their potential to avoid overfitting due to small amounts of training data that is usually available in this task. We used popular deep learning toolkits for the system implementation and have released the implementation code of our methods publicly. We have evaluated the proposed countermeasure systems for detecting replay attacks on recently released spoofing corpora ASVspoof 2017, and also provided in-depth visual analyses of CNNs to aid for future research in this area.

Published

2019