1 / 20

and

Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski. and. Contents. Introduction to Authentication Deniable Authentication Deniable authentication protocols Adaptive Multi-Trapdoor Commitment (AMTC) Scheme

dennis
Download Presentation

and

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AuthenticationDeniable Authentication Protection Against Dictionary AttacksIsidoraPetreskaDimitarGosevski and

  2. Contents • Introduction to Authentication • Deniable Authentication • Deniable authentication protocols • Adaptive Multi-Trapdoor Commitment (AMTC) Scheme • ATMC – based authenticators • Decisional Diffie-Hellman (DDH) Scheme • Passwords and AuthenticationDeniable Authentication • Countermeasures against dictionary attacks and their weaknesses • Reveres Turing Test (RTT) • Basic User Authentication Protocol • Solving Protocol Drawbacks • Security Analysis • Analysis for a user account • Setting the parameters

  3. Introduction to Authentication • Formal definition • Authentication technologies • Concerns to: • Deniable authentication • Password security

  4. Deniable Authentication • Property of deniability • Concept of deniable authentication • Privacy concerns of the sender • Need for deniable authentication: • in private key cryptography? • in public key cryptography?

  5. Deniable authentication protocols • Example of deniable protocol • What if the sender changes his/her mind? • Need to forward deniability • Proposal of new schemes based on: • Adaptive Multi-Trapdoor Commitment and • Decisional Diffie-Hellman protocols

  6. Adaptive Multi-Trapdoor Commitment (AMTC) Scheme • Notion of commitment • Trapdoor Commitment Scheme (TCS) • Adaptive Multi-Trapdoor Commitment (AMTC) Scheme: • CKG - a master key generation algorithm • Sel - given a master public key (PK), it outputs an equivalent key (pk) • Tkg - having a triple (PK, pk, TK) it outputs a trapdoor information (tk) • Com - verify a commitment Com(PK, pk, M, R) • Equiv - opening of a commitment C

  7. ATMC – based authenticators (1/2)

  8. ATMC – based authenticators (2/2)

  9. Decisional Diffie-Hellman (DDH) Scheme (1/2)

  10. Decisional Diffie-Hellman (DDH) Scheme (2/2)

  11. Passwords and Authentication • Passwords as authentication method • Passwords convenient for both service providers and users • Dictionary attacks against passwords • Password eavesdropping

  12. Countermeasures against dictionary attacks and their weaknesses • Countermeasures • Delayed response • Account locking procedure • Drawbacksof the countermeasures • Global password attacks • Denial of Service Attacks • Customer service cost

  13. Reveres Turing Test (RTT) • Found by M.Naor • Distinguish between human and automated program • Automated generation • Easy for Humans • Hard for machines • Small probability of guessing the answer correctly

  14. RTT (Cont..) • Used by large IT companies • Yahoo • AltaVista • PayPal • Possible drawbacks of RTTs • Based on the visual capabilities of the human • Improvement of RTTs • Audible RTTs

  15. Basic User Authentication Protocol • Combines RTT with any password based authentication system • Slow down the execution of the automated programs tying to break in the system • Drawbacks of the Protocol • Usability • difficult for the user to answer RTT in every login attempt • Scalability • not easy to generate and serve RTT per login attempt

  16. Solving Protocol Drawbacks • Limited set of computer used by the user • Small possibility of dictionary attack from this computes • Identify specific computer web browser by using cookies • No need of solving RTT by this computers • RTT required only for a fraction of the login attempts

  17. Security Analysis • User Server Interaction • Feedback no. 1 • Invalid username or password • Feedback no. 2 • First answer RTT than you will be inform if the username/password pair is correct • Whether to ask for RTT is deterministic function from username /password pair • Same time delay regardless if the entered password is correct or not

  18. Analysis for a user account • To verify fraction of correct or incorrect passwords a RTT mast be pass first • Assume that all passwords has the same probability to be correct • Randomly chosen passwords • Wining Ticket Game

  19. Setting the parameters • Steps to designee a successful authentication protocol: • Estimating the benefit that the attacker gain from breaking into account • Estimating the size of the domain of passwords • Estimating the cost of solving single RTT by the attacker • The cost of breaking an account should be higher than the potential gain from the break

  20. The content on this presentation are being reproduced without the original author’s permission! 

More Related