Rong Fan,Lingdi Ping,JianQing Fu,Xuezeng Pan

DOI: https://doi.org/10.1109/PACCS.2010.5626600

2010-01-01

Abstract:As wireless sensor networks (WSNs) are susceptible to attacks and sensor nodes have limited resources, designing a secure and efficient user authentication protocol for WSNs is a difficult task. Considering that most future large-scale WSNs follow a two-tiered architecture, we propose an efficient and Denial-of-Service resistant user authentication scheme for two-tiered WSNs, which imposes very light computational load and requires simple operations such as one-way hash function and exclusive-OR operations. In addition, there is a growing requirement for preserving user anonymity recently. Thus we introduce pseudonym identity for each user which is concealed in login messages. And through clever design, our proposed scheme can prevent from smart card breach. Moreover, the security analysis on this scheme demonstrates that our proposed scheme enjoys security attributes such as preventing the various kinds of attacks and user anonymity. Finally, performance analysis shows that our proposed scheme is simple and efficient.

Wei Pan,Weihua Li

DOI: https://doi.org/10.1109/ICMeCG.2009.111

2009-01-01

Abstract:E-Commerce systems are suffering more and more security issues. Vulnerabilities of authentication systems are revealed when various attacks and malicious abuses are developed and deployed to violate security of system and information. To improve the ability to defend authentication system against invasion and abuse, a novel penetration testing method for E-Commerce authentication system is proposed to scrutinize the vulnerabilities of e-Commerce authentication system and evaluate severity level of potential vulnerabilities. The penetration testing method is an active vulnerability analysis and verification method that can mimic active attacks and perform exploitations by constructing effective and concise penetration testing cases. Through analyzing dynamic taint propagation, the presented method can determine feasibility of the attacks and evaluate security of authentication system. The experiment demonstrates the proposed method can serve as a viable and effective candidate for security detection of authentication system.

Teik Guan Tan,Pawel Szalachowski,Jianying Zhou

DOI: https://doi.org/10.48550/arXiv.2011.06257

2020-11-12

Abstract:The use of passwords and the need to protect passwords are not going away. The majority of websites that require authentication continue to support password authentication. Even high-security applications such as Internet Banking portals, which deploy 2-factor authentication, rely on password authentication as one of the authentication factors. However phishing attacks continue to plague password-based authentication despite aggressive efforts in detection and takedown as well as comprehensive user awareness and training programs. There is currently no foolproof mechanism even for security-conscious websites to prevent users from being directed to fraudulent websites and having their passwords phished. In this paper, we apply a threat analysis on the web password login process, and uncover a design vulnerability in the HTML<inputtype="password"> field. This vulnerability can be exploited for phishing attacks as the web authentication process is not end-to-end secured from each input password field to the web server. We identify four properties that encapsulate the requirements to stop web-based password phishing, and propose a secure protocol to be used with a new credential field that complies with the four properties. We further analyze the proposed protocol through an abuse-case evaluation, discuss various deployment issues, and also perform a test implementation to understand its data and execution overheads

Networking and Internet Architecture,Cryptography and Security

Yossi Gilad,Amir Herzberg

DOI: https://doi.org/10.48550/arXiv.1204.6623

2012-04-30

Abstract:We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server and circumventing known defenses. Attacker can also launch devastating denial of service (DoS) attacks, even when the connection between the client and the server is secured with SSL/TLS. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a the victim client machine, and attacker capable of IP-spoofing on the Internet. Our attacks use a technique allowing an off-path attacker to learn the sequence numbers of both client and server in a TCP connection. The technique exploits the fact that many computers, in particular those running Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. Finally, we present practical defenses that can be deployed at the firewall level; no changes to existing TCP/IP stacks are required.

Cryptography and Security

贺炯,曹珍富

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.z1.125

2004-01-01

Abstract:The article introduces a method to attack the PIN BLOCK by the HSM interface without knowing the key. It gives out the countermeasures.

Frank Nielsen

DOI: https://doi.org/10.48550/arXiv.1304.6499

2013-04-24

Abstract:Nowadays, we are increasingly logging on many different Internet sites to access private data like emails or photos remotely stored in the clouds. This makes us all the more concerned with digital identity theft and passwords being stolen either by key loggers or shoulder-surfing attacks. Quite surprisingly, the current bottleneck of computer security when logging for authentication is the User Interface (UI): How can we enter safely secret passwords when concealed spy cameras or key loggers may be recording the login session? Logging safely requires to design a secure Human Computer Interface (HCI) robust to those attacks. We describe a novel method and system based on entering secret ID passwords by means of associative secret UI passwords that provides zero-knowledge to observers. We demonstrate the principles using a color Personal Identification Numbers (PINs) login system and describes its various extensions.

Human-Computer Interaction,Cryptography and Security

Andreas Eipper,Daniela Pöhn

DOI: https://doi.org/10.5220/0011667300003405

2024-07-23

Abstract:Cyber attacks are ubiquitous and a constantly growing threat in the age of digitization. In order to protect important data, developers and system administrators must be trained and made aware of possible threats. Practical training can be used for students alike to introduce them to the topic. A constant threat to websites that require user authentication is so-called brute-force attacks, which attempt to crack a password by systematically trying every possible combination. As this is a typical threat, but comparably easy to detect, it is ideal for beginners. Therefore, three open-source blue team scenarios are designed and systematically described. They are contiguous to maximize the learning effect.

Cryptography and Security

Gregor Költzsch

DOI: https://doi.org/10.3846/16111699.2006.9636145

2006-12-31

Journal of Business Economics and Management

Abstract:The increasing number of identity theft incidents such as credit card fraud, card duplication and internet attacks threaten the banking business that is mainly based on customer trust. Information and communication technologies create new business opportunities and innovative applications but do also enable new attack scenarios. Therefore, maintaining security and integrity is essential for the future economic success of banking. Biometric technologies such as fingerprint and facial recognition provide the means to enhance banking security. They are concerned with the measurement and evaluation of human physiological or behavioral data. Although the security‐oriented use of biometric technologies has become the most important field of development, they also enable a variety of convenience‐oriented use cases and applications. The article describes the security issues raised by technology‐based banking applications and outlines the idea of biometric technologies. Eventually, potential security and convenience‐driven use cases for biometrics in banking are illustrated based on examples given by a variety of professional project reports, magazines and other sources.

economics,business

Saru Kumari,Xiong Li,Fan Wu,Ashok Kumar Das,Vanga Odelu,Muhammad Khurram Khan

DOI: https://doi.org/10.3837/tiis.2016.09.026

2016-01-01

KSII Transactions on Internet and Information Systems

Abstract:Widespread use of wireless networks has drawn attention to ascertain confidential communication and proper authentication of an entity before granting access to services over insecure channels. Recently, Truong et al. proposed a modified dynamic ID-based authentication scheme which they claimed to resist smart-card-theft attack. Nevertheless, we find that their scheme is prone to smart-card-theft attack contrary to the author's claim. Besides, anyone can impersonate the user as well as service provider server and can breach the confidentiality of communication by merely eavesdropping the login request and server's reply message from the network. We also notice that the scheme does not impart user anonymity and forward secrecy. Therefore, we present another authentication scheme keeping apart the threats encountered in the design of Truong et al.'s scheme. We also prove the security of the proposed scheme with the help of widespread BAN (Burrows, Abadi and Needham) Logic.

Cataldo Basile,Bjorn De Sutter,Daniele Canavese,Leonardo Regano,Bart Coppens

DOI: https://doi.org/10.48550/arXiv.2303.15033

2023-03-27

Abstract:The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant constructs, models, and methods needed for formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) decision support system that instantiates many of the discussed construct, models, and methods and automates many activities in the risk analysis methodology for the protection of software. Despite being a prototype, the PoC's validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox and that it can actually assist decision-making in industrially relevant settings.

Software Engineering,Cryptography and Security

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-23829-6_11

2015-01-01

Abstract:Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

Lalitha Sravanti Dasu,Mannav Dhamija,Gurram Dishitha,Ajith Vivekanandan,V. Sarasvathi

DOI: https://doi.org/10.2478/cait-2023-0016

2023-06-01

Cybernetics and Information Technologies

Abstract:Abstract Defending against identity-based threats, which have predominantly increased in the era of remote access and working, requires non-conventional, dynamic, intelligent, and strategic means of authenticating and authorizing. This paper aims at devising detailed risk-scoring algorithms for five real-time use cases to make identity security adaptive and risk-based. Zero-trust principles are incorporated by collecting sign-in logs and analyzing them continually to check for any anomalies, making it a dynamic approach. Users are categorized as risky and non-risky based on the calculated risk scores. While many adaptive security mechanisms have been proposed, they confine identities only to users. This paper also considers devices as having an identity and categorizes them as safe or unsafe devices. Further, results are displayed on a dashboard, making it easy for security administrators to analyze and make wise decisions like multifactor authentication, mitigation, or any other access control decisions as such.

Ximing Liu,Yingjiu Li,Robert H. Deng,Bing Chang,Shujun Li

DOI: https://doi.org/10.1016/j.cose.2018.09.003

2018-10-18

Abstract:This paper proposes the first user-independent inter-keystroke timing attacks on PINs. Our attack method is based on an inter-keystroke timing dictionary built from a human cognitive model whose parameters can be determined by a small amount of training data on any users (not necessarily the target victims). Our attacks can thus be potentially launched on a large scale in real-world settings. We investigate inter-keystroke timing attacks in different online attack settings and evaluate their performance on PINs at different strength levels. Our experimental results show that the proposed attack performs significantly better than random guessing attacks. We further demonstrate that our attacks pose a serious threat to real-world applications and propose various ways to mitigate the threat.

Cryptography and Security,Human-Computer Interaction

Wenting Li,Ping Wang

DOI: https://doi.org/10.1016/j.future.2019.06.020

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Due to the sensitiveness of the physical environments and resource-constrained nature of edge devices, how to securely and efficiently access real-time data in Industrial Internet-of-Things (IIoT) is becoming an increasingly imperative concern. Though intensive efforts have been made to design password-based user authentication schemes for IIoT environments, the majority of them are subject to weaknesses, either suffering from various known attacks or lack of critical features. To ameliorate this situation, firstly, we put forward a criteria set on the basis of related state-of-art evaluation set to fairly assess authentication schemes for IIoT environments. The effectiveness and practicality of our criteria are tested by 42 representative schemes. Secondly, we revisit two representative schemes, namely Amin et al.’s scheme and Gope–Hwang’s scheme, as case studies to demonstrate the common pitfalls in designing robust schemes. Finally, we propose a practical authentication scheme for Industrial Internet-of-Things with provable security, and shed light on how to tackle node capture attack by using the “honeywords” technique. The security and performance evaluation results show that our new scheme is superior to other related ones, and thus, more suitable for IIoT environments.

Fang-fang KE,Xi-lin TANG,Qi-heng ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.07.048

2010-01-01

Abstract:Thel protocol proposed by Rhee H S et al(Computer Standards & Interfaces, 2009, No.1) uses mobile equipment to replace smart card to reduce risk and cost, but it exists some demerits. Aiming at this problem, based on Chan-Cheng attack case, it points out that the protocol can not resist impersonation attack and off-line password guessing attack. In order to overcome these drawbacks, it gives the improved scheme. Experimental results show this scheme is strongly resistant to both of these attacks, which keeps the password secret and authenticating ID.

唐川,张森强,唐朝京

DOI: https://doi.org/10.3969/j.issn.1007-130x.2004.08.007

2004-01-01

Abstract:The security of Smartcard operating terminals is very important in a Smartcard application system. First, analysis shows that a Smartcard operating terminal is the most vulnerable area in the whole system. Hence, a 4-D space is constructed to describe security attacks. Finally countermeasures are proposed, which is against the attacks from different levels.

Shiqi Wang,Linsen Li,Gaosheng Chen,Tao Chen,Zeming Wang

DOI: https://doi.org/10.1109/IACS.2017.7921977

2017-01-01

Abstract:As the RFID based Internet of Things (loT) gets worldwide attention, to prepare for the rapidly increasing applications in daily life, various security protocols are proposed. But, these protocols, most of which are limited by the tag processing capacity and dangerous exposure during transmission, could only be applied in certain fields. Previously, Chen and Deng's mutual authentication and privacy protection protocol which conforming EPC Class 1 Generation 2 Standards stands out for low cost as well as little requirements of the tag processing capacity. However, currently reported by others, this system faces up with severe dangers of tracking or cloning tags via impersonating attacks. After scrutiny, we found out that these vulnerabilities lie in the insufficient protections of random numbers, and we reconstruct the request and response based on the original protocol by making message unrepeatable, key elements secret and adding small storage for comparisons. The security of our protocol, proved by Ban logic analysis, is ensured by double protections — secret key pairs and dynamic random numbers. Our comparisons show that our protocol not only is safe under traditional attacks guaranteed by the original protocol but also overcomes impersonating attacks which represents the inherent weakness of information exposure in public.

Wan LIU,Ming TAN,Xing-Shu CHEN

DOI: https://doi.org/10.3969/j.issn.1002-137X.2008.03.085

2008-01-01

Computer Science

Abstract:The main function of trusted computing is done by the trusted platform module.For the working of TPM is based on the OIAP and OSAP protocol,it is most important to ensure the secure working of the two protocols.This article does logic description and security analysis on the two protocols,then presents some ways to protect the two protocols from being attacked.

Christian Mainka,Vladislav Mladenov,Jörg Schwenk

DOI: https://doi.org/10.48550/arXiv.1412.1623

2014-12-04

Abstract:Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols - OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implementations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues.

Cryptography and Security

毛剑,韦韬,陈昱,邹维

DOI: https://doi.org/10.3321/j.issn:1671-8836.2008.05.020

2008-01-01

Abstract:We propose a trusted computing module based secure electronic transaction architecture,which uses trusted equipment as the identity authentication and transaction authorization terminal.The new framework binds authentication and authorization in e-transaction operations and guarantees the secure sensitive operation is executed properly in an independent,trusted,auditable environment.Our approach thwarts Man-in-the-Middle attacks,protects a user's account even in the presence of most spywares like keyloggers and fends off the authorization hijack attacks efficiently.