Undetectable on-line password guessing attacks

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Undetectable on-line password guessing attacks

Full text

Pdf (621 KB)

Source

ACM SIGOPS Operating Systems Review archive
Volume 29 , Issue 4 (October 1995) table of contents

Pages: 77 - 86

Year of Publication: 1995

ISSN:0163-5980

Authors

Yun Ding	University of Technology Chemnitz-Zwickau, Chemnitz, Germany
Patrick Horster	University of Technology Chemnitz-Zwickau, Chemnitz, Germany

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 13, Downloads (12 Months): 54, Citation Count: 13

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/219282.219298 What is a DOI?

ABSTRACT

Several 3-party-based authentication protocols have been proposed, which are resistant to off-line password guessing attacks. We show that they are not resistant to a new type of attack called "undetectable on-line password guessing attack". The authentication server is not able to notice this kind of attack from the clients' (attacker's) requests, because they don't include enough information about the clients (or attacker). Either freshness or authenticity of these requests is not guaranteed. Thus the authentication server responses and leaks verifiable information for an attacker to verify his guess.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Steven M. Bellovin , Michael Merritt, Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.72, May 04-06, 1992
	2	Li Gong, Optimal authentication protocols resistant to password guessing attacks, Proceedings of the 8th IEEE workshop on Computer Security Foundations, p.24, March 13-15, 1995
	3	[GLNS93] L. Gong, M. Lomas, R. Needham, J. Saltzer, "Protecting Poorly Chosen Secrets from Guessing Attacks", IEEE Journal on Selected Areas in Communications, Vol. 11, No. 5, (1993), pp. 648-656.
	4	T. Lomas , L. Gong , J. Saltzer , R. Needhamn, Reducing risks from poorly chosen keys, ACM SIGOPS Operating Systems Review, v.23 n.5, p.14-18, Dec. 3–6, 1989
	5	[Schn94] B. Schneier, "Applied Cryptography", New York, John Wiley & Sons, Inc., (1994).
	6	Michael Steiner , Gene Tsudik , Michael Waidner, Refinement and extension of encrypted key exchange, ACM SIGOPS Operating Systems Review, v.29 n.3, p.22-30, July 1995 [doi>10.1145/206826.206834]
	7	[TaAl91] J. J. Tardo, K. Alagappan, "SPX: Global Authentication Using Public Key Certificares", Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy, (1991), pp. 23-244.
	8	[TsHe93] G. Tsudik, E. Van Herreweghen, "Some Remarks on Protecting Weak Keys and Poorly-Chosen Secrets from Guessing Attacks", 1993 IEEE Symposium on Reliable Distributed Systems, (1993), pp. 136-142.

CITED BY 13

	Ya-Fen Chang , Chin-Chen Chang , Jui-Yi Kuo, A secure one-time password authentication scheme using smart cards without limiting login times, ACM SIGOPS Operating Systems Review, v.38 n.4, p.80-90, October 2004
	Ya-Fen Chang , Chin-Chen Chang, A secure and efficient strong-password authentication protocol, ACM SIGOPS Operating Systems Review, v.38 n.3, p.79-90, July 2004
	Chun-Li Lin , Hung-Min Sun , Tzonelih Hwang, Three-party encrypted key exchange: attacks and a solution, ACM SIGOPS Operating Systems Review, v.34 n.4, p.12-20, October 2000
	Her-Tyan Yeh , Hung-Min Sun, Simple authenticated key agreement protocol resistant to password guessing attacks, ACM SIGOPS Operating Systems Review, v.36 n.4, p.14-22, October 2002
	Raphael C. -W. Phan , Wei-Chuen Yau , Bok-Min Goi, Cryptanalysis of simple three-party key exchange protocol (S-3PAKE), Information Sciences: an International Journal, v.178 n.13, p.2849-2856, July, 2008
	Barry Jaspan, Dual-workfactor encrypted key exchange: efficiently preventing password chaining and dictionary attacks, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.5-5, July 22-25, 1996, San Jose, California
	Jeong Ok Kwon , Ik Rae Jeong , Kouichi Sakurai , Dong Hoon Lee, Efficient verifier-based password-authenticated key exchange in the three-party setting, Computer Standards & Interfaces, v.29 n.5, p.513-520, July, 2007
	Hyun-Seok Kim , Jin-Young Choi, Enhanced password-based simple three-party key exchange protocol, Computers and Electrical Engineering, v.35 n.1, p.107-114, January, 2009
	Eun-Jun Yoon , Kee-Young Yoo, Improving the novel three-party encrypted key exchange protocol, Computer Standards & Interfaces, v.30 n.5, p.309-314, July, 2008
	Hsing-Bai Chen , Tzung-Her Chen , Wei-Bin Lee , Chin-Chen Chang, Security enhancement for a three-party encrypted key exchange protocol against undetectable on-line password guessing attacks, Computer Standards & Interfaces, v.30 n.1-2, p.95-99, January, 2008
	Chou-Chen Yang , Ting-Yi Chang , Min-Shiang Hwang, Security of Improvement on Methods for Protecting Password Transmission, Informatica, v.14 n.4, p.551-558, December 2003
	Shuhua Wu , Yuefei Zhu, Password-based authenticated key distribution in the three-party setting with forward security, International Journal of Communication Networks and Distributed Systems, v.3 n.4, p.393-407, August 2009
	Tian-Fu Lee , Jenn-Long Liu , Mei-Jiun Sung , Shiueng-Bien Yang , Chia-Mei Chen, Communication-efficient three-party protocols for authentication and key agreement, Computers & Mathematics with Applications, v.58 n.4, p.641-648, August, 2009