INFINITE ALPHABET PASSWORDS - A Unified Model for a Class of Authentication Systems

Marcia Gibson, Marc Conrad, Carsten Maple

2010

Abstract

In the paper we propose a formal model for class of authentication systems termed, “Infinite Alphabet Password Systems” (IAPs). We define such systems as those that use a character set for the construction of the authentication token that is theoretically infinite, only bound by practical implementation restrictions. We find that the IAP architecture can feasibly be adapted for use in many real world situations, and may be implemented using a number of system architectures and cryptographic protocols. A security analysis is conducted on an implementation of the model that utilizes images for its underlying alphabet. As a result of the analysis we find that IAPs can offer security benefits over traditional alphanumeric password schemes. In particular some of the significant problems concerning phishing, pharming, replay, dictionary and offline brute force attacks are mitigated.

References

  1. Boit, A., Geimer, T., and Loviscach, J. (2009). A random cursor matrix to hide graphical password input. In SIGGRAPH 7809: SIGGRAPH 7809: Posters, pages 1- 1, New York, NY, USA. ACM.
  2. Davis, D., Monrose, F., and Reiter, M. K. (2004). On user choice in graphical password schemes. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 11-11, Berkeley, CA, USA. USENIX Association.
  3. Dhamija, R. and Perrig, A. (2000). Déjà vu: A user study using images for authentication. In Proceedings of USENIX Security Symposium, pages 45-58, Denver, Colorado.
  4. Gaw, S. and Felten, E. W. (2006). Password management strategies for online accounts. In SOUPS 7806: Proceedings of the second symposium on Usable privacy and security, pages 44-55, New York, NY, USA. ACM Press.
  5. Gibson, M., Renaud, K., Conrad, M., and Maple, C. (2009). Musipass: authenticating me softly with ”my” song. In NSPW 7809: Proceedings of the 2009 workshop on New security paradigms, pages 85-100, New York, NY, USA. ACM.
  6. Hayashi, E., Dhamija, R., Christin, N., and Perrig, A. (2008). Use your illusion: secure authentication usable anywhere. In SOUPS 7808: Proceedings of the 4th symposium on Usable privacy and security, pages 35-45, New York, NY, USA. ACM.
  7. ISO (2003). ISO/IEC 10646:2003 Information technology - Universal Multiple-Octet Coded Character Set (UCS).
  8. Klein, D. V. (1990). “foiling the cracker” - A survey of, and improvements to, password security. In Proceedings of the second USENIX Workshop on Security, pages 5-14.
  9. Kuber, R. and Yu, W. (2006). Authentication using tactile feedback. In HCI Engage 2006, Interactive experiences.
  10. Morris, R. and Thompson, K. (1979). Password security: A case history. Communications of the ACM, 22(11):594-597.
  11. Sasse, M. A., Brostoff, S., and Weirich, D. (2001). Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122-131.
  12. Shannon, C. (1948). A mathematical theory of communication. The Bell System Technical Journal, 27:379-423.
  13. Unicode Consortium (2009). The Unicode Standard, version 5.2.0. Mountain View, CA. ISBN 978-1-936213-00-9.
  14. http://www.unicode.org/versions/Unicode5.2.0/.
  15. Yan, J., Blackwell, A., Anderson, R., and Grant, A. (2004). Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5):25-31.
Download


Paper Citation


in Harvard Style

Gibson M., Conrad M. and Maple C. (2010). INFINITE ALPHABET PASSWORDS - A Unified Model for a Class of Authentication Systems . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 94-99. DOI: 10.5220/0002986200940099


in Bibtex Style

@conference{secrypt10,
author={Marcia Gibson and Marc Conrad and Carsten Maple},
title={INFINITE ALPHABET PASSWORDS - A Unified Model for a Class of Authentication Systems},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={94-99},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002986200940099},
isbn={978-989-8425-18-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - INFINITE ALPHABET PASSWORDS - A Unified Model for a Class of Authentication Systems
SN - 978-989-8425-18-8
AU - Gibson M.
AU - Conrad M.
AU - Maple C.
PY - 2010
SP - 94
EP - 99
DO - 10.5220/0002986200940099