loading
Papers

Research.Publish.Connect.

Paper

Authors: Ziya Alper Genç ; Gabriele Lenzini ; Peter Y. A. Ryan and Itzel Vazquez Sandoval

Affiliation: University of Luxembourg, Luxembourg

ISBN: 978-989-758-282-0

Keyword(s): Honeywords, Password-based Authentication, Secure Protocols Design, Formal Analysis, ProVerif.

Abstract: In 2013 Juels and Rivest introduced the Honeywords System, a password-based authentication system designed to detect when a password file has been stolen. A Honeywords System stores passwords together with indistinguishable decoy words so when an intruder steals the file, retrieves the words, and tries to log-in, he does not know which one is the password. By guessing one from the decoy words, he may not be lucky and reveal the leak. Juels and Rivest left a problem open: how to make the system secure even when the intruder corrupted the login server’s code. In this paper we study and solve the problem. However, since “code corruption” is a powerful attack, we first define rigorously the threat and set a few assumptions under which the problem is still solvable, before showing meaningful attacks against the original Honeywords System. Then we elicit a fundamental security requirement, implementing which, we are able to restore the Honeywords System’s security despite a corrupted login service. We verify the new protocol’s security formally, using ProVerif for this task. We also implement the protocol and test its performance. Finally, at the light of our findings, we discuss whether it is still worth using a fixed honeywords-based system against such a powerful threat, or whether it is better, in order to be resilient against code corruption attacks, to design afresh a completely different password-based authentication solution. (More)

PDF ImageFull Text

Download
CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 3.227.249.234

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Genç, Z.; Lenzini, G.; Ryan , P. and Sandoval, I. (2018). A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System.In Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-282-0, pages 83-95. DOI: 10.5220/0006609100830095

@conference{icissp18,
author={Ziya Alper Gen\c{C}. and Gabriele Lenzini. and Peter Y. A. Ryan . and Itzel Vazquez Sandoval.},
title={A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System},
booktitle={Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2018},
pages={83-95},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006609100830095},
isbn={978-989-758-282-0},
}

TY - CONF

JO - Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System
SN - 978-989-758-282-0
AU - Genç, Z.
AU - Lenzini, G.
AU - Ryan , P.
AU - Sandoval, I.
PY - 2018
SP - 83
EP - 95
DO - 10.5220/0006609100830095

Login or register to post comments.

Comments on this Paper: Be the first to review this paper.