Paper 2013/167

Single Password Authentication

Tolga Acar, Mira Belenkiy, and Alptekin Küpçü

Abstract

Users frequently reuse their passwords when authenticating to various online services. Combined with the use of weak passwords or honeypot/phishing attacks, this brings high risks to the security of the user's account information. In this paper, we propose several protocols that can allow a user to use a single password to authenticate to multiple services securely. All our constructions provably protect the user from dictionary attacks on the password, and cross-site impersonation or honeypot attacks by the online service providers. Our solutions assume the user has access to either an untrusted online cloud storage service (as per Boyen [14]), or a mobile storage device that is trusted until stolen. In the cloud storage scenario, we consider schemes that optimize for either storage server or online service performance, as well as anonymity and unlinkability of the user's actions. In the mobile storage scenario, we minimize the assumptions we make about the capabilities of the mobile device: we do not assume synchronization, tamper resistance, special or expensive hardware, or extensive cryptographic capabilities. Most importantly, the user's password remains secure even after the mobile device is stolen. Our protocols provide another layer of security against malware and phishing. To the best of our knowledge, we are the first to propose such various and provably secure password-based authentication schemes. Lastly, we argue that our constructions are relatively easy to deploy, especially if a few single sign-on services (e.g., Microsoft, Google, Facebook) adopt our proposal.

Note: The journal version includes a performance section, which is not available in this version. The journal version can be found here: http://www.sciencedirect.com/science/article/pii/S1389128613001667

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Published in Elsevier Computer Networks Journal
Keywords
Password-based authenticationdictionary attacksmalwarehoneypotsprivacymobile
Contact author(s)
akupcu @ ku edu tr
History
2013-06-11: revised
2013-03-28: received
See all versions
Short URL
https://ia.cr/2013/167
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/167,
      author = {Tolga Acar and Mira Belenkiy and Alptekin Küpçü},
      title = {Single Password Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2013/167},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/167}},
      url = {https://eprint.iacr.org/2013/167}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.