Detecting Password File Theft using Predefined Time-Delays between Certain Password Characters

• Autorzy: Mahmoud K. W. , Mansour K. , Makableh A.

Identyfikatory

DOI

10.26636/jtit.2017.112517

• Języki publikacji: EN

Abstrakty

EN

This paper presents novel mechanisms that effectively detect password file thefts and at the same time prevent uncovering passwords. The proposed mechanism uses delay between consecutive keystrokes of the password characters. In presented case, a user should not only enter his password correctly during the sign-up process, but also needs to introduce relatively large time gaps between certain password characters. The proposed novel approaches disguise stored passwords by adding a suffix value that helps in detecting password file theft at the first sign-in attempt by an adversary who steals and cracks the hashed password file. Any attempt to login using a real password without adding the time delays in the correct positions may considered as an impersonation attack, i.e. the password file has been stolen and cracked.

Słowa kluczowe

EN

access control; intrusion detection systems (IDS); network security; password protection

• Wydawca: Instytut Łączności - Państwowy Instytut Badawczy
• Czasopismo: Journal of Telecommunications and Information Technology
• Rocznik: 2017
• Tom: nr 4
• Strony: 101--108
• Opis fizyczny: Bibliogr. 21 poz., rys., tab.

Twórcy

autor

Mahmoud K. W.

• Department of Computer Science, College of Information Technology, Zarqa University, P.O. Box 132222, Zarqa 13132, Jordan

autor

Mansour K.

• Department of Computer Science, College of Information Technology, Zarqa University, P.O. Box 132222, Zarqa 13132, Jordan

autor

Makableh A.

• Department of Computer Science, College of Information Technology, Zarqa University, P.O. Box 132222, Zarqa 13132, Jordan

Bibliografia

• [1] D. Mirante and J. Cappos, “Understanding Password Database Compromises Technical Report”, Tech. Rep. TR CSE-2013-02, Polytechnic Institute of NYU, 2013.
• [2] D. Florêncio, C. Herley, and P. C. van Oorschot, “An administrator’s guide to internet password research”, in Proc. 28th Large Instal. Sys. Administr. Conf. LISA14, Seattle, WA, USA, 2014, pp. 44–61.
• [3] P. Jadhao and L. Dole, “Survey on Authentication Password Techniques”, Int. J. of Soft Comput. and Engin. (IJSCE) vol. 3, no. 2, pp. 67–68, 2013.
• [4] M. H. Almeshekah, C. N. Gutierrez, M. J. Atallah, and E. H. Spafford, “Ersatzpasswords: Ending password cracking and detecting password leakage”, in Proc. of the 31st Ann. Comp. Secur. Appl. Conf. ACSAC 2015, Los Angeles, CA, USA, 2015, pp. 311–320.
• [5] J. Cappos and S. Torres, “PolyPasswordHasher: Protecting Passwords in the Event of a Password File Disclosure”, Tech. Rep., 2014 [Online]. Available: https://password-hashing.net/submissions/ specs/PolyPassHash-v1.pdf
• [6] K. Mansour, “Adopted keystroke rhythm for password hardening”, in Proc. 11th Int. Conf. on Passwords Passwords 2016, Bochum, Germany, 2016.
• [7] K. W. Mahmoud, “Elastic password: A new mechanism for strengthening passwords using time delays between keystrokes”, in Proc. 8th Int. Conf. on Inform. and Commun. Syst. ICICS 2017, Irbid, Jordan, 2017, pp. 316–321.
• [8] M. J. A. Mohammed Almeshekah and Eugene H. Spafford, “Improving Security using Deception”, Tech. Rep. 203-13, Center for Education and Research Information Assurance and Security, Purdue University, West Lafayette, USA, 2013.
• [9] F. Cohen, “The use of deception techniques: Honeypots and decoys”, The Handbook of Inform. Secur., vol. 3, no. 1, pp. 646–655, 2006.
• [10] A. Juels and R. L. Rivest, “Honeywords: Making password-cracking detectable”, in Proc. of the 20th ACM SIGSAC Conf. on Comp. and Commun. Secur. CCS 2013, Berlin, Germany, 2013, pp. 145–160.
• [11] H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh, “Kamouflage: Loss-resistant password management”, in Proc. 15th Eur. Symp. on Res. in Comp. Secur. ESORICS 2010, Athens, Greece, 2010, vol. 6345, pp. 286–302.
• [12] I. Erguler, “Some remarks on honeyword based password-cracking detection”, IACR Cryptology ePrint Archive, vol. 2014, p. 323, 2014.
• [13] N. Chakraborty and S. Mondal, “A new storage optimized honeyword generation approach for enhancing security and usability”, Comput. Res. Repository, vol. abs/1509.0, p. 8, 2015 (arXiv:1509.06094).
• [14] Z. A. Genc, S. Kardas, and M. S. Kiraz, “Examination of a New Defense Mechanism: Honeywords”, IACR Cryptol. ePrint Archive, vol. 2013, p. 696, 2013.
• [15] A. Shamir and A. Shamir, “How to share a secret”, Commun. of the ACM (CACM), vol. 22, no. 1, pp. 612–613, 1979.
• [16] G. Kontaxis, E. Athanasopoulos, G. Portokalidis, and A. D. Keromytis, “Sauth: Protecting user accounts from password database leaks”, in Proc. of the 20th ACM SIGSAC Conf. on Comp. and Commun. Secur. CCS 2013, Berlin, Germany, 2013, pp. 187–198.
• [17] N. Abdelmajid and K. W. Mahmoud, “Global position system location-based authentication (KERBEROS AS AN EXAMPLE)”, ITEE Journal: Inform. Technol. and Elec. Engin., vol. 5, no. 3, pp. 13–18, 2016.
• [18] A. K. Jain, A. Ross, and S. Prabhakar, “An introduction to biometric recognition”, IEEE Trans. on Circ. and Syst. for Video Technol., vol. 14, no. 1, pp. 4–20, 2004.
• [19] P. S. Teh, A. B. J. Teoh, and S. Yue, “A survey of Keystroke dynamics biometrics”, The Scientific World Journal, vol. 2013, Article ID 408280, p. 24, 2013.
• [20] S. P. Banerjee and D. Woodard, “Biometric authentication and identification using Keystroke dynamics: A Survey”, J. of Pattern Recogn. Res., vol. 7, no. 1, pp. 116–139, 2012.
• [21] P. Dholi and K. P. Chaudhari, “Typing pattern recognition using Keystroke dynamics”, in Mobile Commun. and Power Engin., vol. 296, pp. 275–280, 2013.

Uwagi

Opracowanie rekordu w ramach umowy 509/P-DUN/2018 ze środków MNiSW przeznaczonych na działalność upowszechniającą naukę (2018).