Computer Science

Computer Science ›› 2020, Vol. 47 ›› Issue (11): 42-47.doi: 10.11896/jsjkx.200500144

Special Issue: Intelligent Mobile Authentication

• Intelligent Mobile Authentication • Previous Articles     Next Articles

Impact of Zipf's Law on Password-related Security Protocols

DONG Qi-ying, SHAN Xuan, JIA Chun-fu   

  1. College of Cyber Science,Nankai University,Tianjin 300350,China
    Tianjin Key Laboratory of Network and Data Security Technology,Tianjin 300350,China
  • Received:2020-05-28 Revised:2020-08-07 Online:2020-11-15 Published:2020-11-05
  • About author:DONG Qi-ying,born in 1996,Ph.D,is a member of China Computer Federation.Her main research interests include password security,identity authentication and deep learning.
    JIA Chun-fu,born in 1967,Ph.D,professor,Ph.D supervisor,is a member of China Computer Federation.His main research interests include network and information security,trusted computing and software security,malicious code analysis and cryptography applications.
  • Supported by:
    This work was supported by the National Natural Science Foundation of China (61972215).

PDF (PC)

855

Abstract: Identity authentication is the first line of defense for the security of networks and information systems,and password is the most common method of identity authentication.Researches usually assume that user-constructed passwords obey uniform distribution.However,recent studies found that passwords obey Zipf's law,which means that most password-related security protocols underestimate the advantage of an attacker and thus fail to achieve the claimed security.In response to the above problem,first of all,Password-Based Signatures (PBS) protocol proposed by Gjøsteen,et al. and Password-Protected Secret Sharing (PPSS) protocol proposed by Jarecki,et al.are taken as typical representatives.Based on the basic assumption that passwords obey Zipf's law,the security proofs of these two protocols are demonstrated to be flawed,and the security is redefined.Furthermore,the improvements to the two protocols are given respectively.In improved PBS protocol,an attacker's advantage is recalculated.By limiting the guess number of an attacker and entrusting a trusted third party to keep the key,the protocol can prevent a malicious attacker from disguising a legitimate user,and can prevent a malicious server from guessing a user's password and for-ging the signature.In improved PPSS protocol,a Honey_List is set on the server side based on honeywords to detect and prevent online password guessing attack.

Key words: Honeywords, Password-related security protocols, Security proof, Trusted third party, Zipf's law

CLC Number: 

  • TP309
[1] BONNEAU J,HERLEY C,VAN O P C,et al.The quest to replace passwords:A framework for comparative evaluation of web authentication schemes [C]//2012 IEEE Symposium on Security and Privacy.IEEE,2012:553-567.
[2] GJØSTEEN K,THUEN Ø.Password-based signatures [C]//European Public Key Infrastructure Workshop.Springer,2011:17-33.
[3] JARECKI S,KIAYIAS A,KRAWCZYK H,et al.Highly-efficient and composable password-protected secret sharing (or:how to protect your bitcoin wallet online) [C]//2016 IEEE European Symposium on Security and Privacy (EuroS&P).2016:276-291.
[4] CASTELLUCCIA C,DÜRMUTH M,PERITO D.AdaptivePassword-Strength Meters from Markov Models [C]//NDSS.2012.
[5] SCHECHTER S,HERLEY C,MITZENMACH-ER M.Popu-larity is everything:A new approach to protecting passwords from statistical-guessing attacks [C]//Proceedings of the 5th USENIX Conference on Hot Topics in Security.USENIX Association,2010:1-8.
[6] NEWMAN M E J.Power laws,Pareto distributions and Zipf's law [J].Contemporary Physics,2005,46(5):323-351.
[7] WANG D,CHENG H,WANG P,et al.Zipf's law in passwords[J].IEEE Transactions on Information Forensics and Security,2017,12(11):2776-2791.
[8] KATZ J,OSTROVSKY R,YUNG M.Effi cient and secure authenticated key exchange using weak passwords [J].Journal of the ACM(JACM),2009,57(1):1-39.
[9] BAGHERZANDI A,JARECKI S,SAXENA N,et al.Password-protected secret sharing [C]//Proceedings of the 18th ACM conference on Computer and Communications Security,2011:433-444.
[10] JARECKI S,KIAYIAS A,KRAWCYZK H.Round-optimalpassword-protected secret sharing and T-PAKE in the password-only model [C]//International Conference on the Theory and Application of Cryptology and Information Security.Springer,2014:233-253.
[11] WANG D,WANG P.On the implications of Zipf's law in passwords[C]//European Symposium On Research in Computer Security.Springer,2016:111-131.
[12] WANG D,WANG P.Two birds with one stone:Two-factor authentication with security beyond conventional bound [J].IEEE Transactions on Dependable and Secure Computing,2016,15(4):708-722.
[13] JUELS A,RIVEST R L.Honeywords:Making password-crac-king detectable [C]//Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security.2013:145-160.
[14] SHAMIR A.How to share a secret [J].Communications of the ACM,1979,22(11):612-613.
[1] WANG Ran-ran, WANG Yong, CAI Yu-tong, JIANG Zheng-tao, DAI Gui-ping. Formal Verification of Yahalom Protocol Based on Process Algebra [J]. Computer Science, 2021, 48(6A): 481-484.
[2] GAN Yong, WANG Kai, HE Lei. Ownership Transfer Protocol for Multi-owners Internal Weight Changes with Trusted Third Party [J]. Computer Science, 2019, 46(6A): 370-374.
[3] ZHANG Guang-hua, LIU Hui-meng, CHEN Zhen-guo. Attribute-based Revocation Scheme in Cloud Computing Environment [J]. Computer Science, 2018, 45(8): 134-140.
[4] JIN Yu, CAI Chao, HE Heng and LI Peng. BTDA:Dynamic Cloud Data Updating Audit Scheme Based on Semi-trusted Third Party [J]. Computer Science, 2018, 45(3): 144-150.
[5] LI Lei, JIA Hui-wen, BAN Xue-hua and HE Yu-fan. Obfuscation-based Broadcasting Multi-signature Scheme [J]. Computer Science, 2017, 44(Z11): 329-333.
[6] WANG Pei-xue and ZHOU Hua-qiang. Research on Cloud Security Model Based on Trusted Third Party on Multi-tenant Environment [J]. Computer Science, 2014, 41(Z6): 363-365.
[7] WANG Yong-tao,FENG Wei-duan,LIU Xiao-nan,SONG Jing and GUO Zhen-zhou. Message Policy Attribute Based Key Agreement Protocol [J]. Computer Science, 2013, 40(9): 106-110.
[8] . Novel Revocable Short Group Signatures Scheme without Encryption [J]. Computer Science, 2012, 39(4): 41-45.
[9] LI Yan-Ping, SI Guang-Dong ,WANG Yu-Min (State Key Lab of Intergrated Service Network, Xidian University, Xi'an 710071). [J]. Computer Science, 2006, 33(8): 95-97.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.