Private Password Auditing : Short Paper

Amrit Kumar 1 Cédric Lauradoux 1
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Password is the foremost mean to achieve data and computer security. Hence, choosing a strong password which may withstand dictionary attacks is crucial in establishing the security of the underlying system. In order to ensure that strong passwords are chosen and that they are periodically updated, system administrators often rely on password auditors to filter weak password digests. Several tools aimed at preventing digest misuse have been designed to aid auditors in their task. We however show that the objective remains a far cry as these tools essentially reveal the digests corresponding to weak passwords. As a case study, we discuss the issues with Blackhash, and develop the notion of Private Password Auditing — a mechanism that does not require a system administrator to reveal password digests to an external auditor and symmetrically the dictionaries remain private to the auditor. We further present constructions based on Private Set Intersection and its variant, and evaluate a proof-of-concept implementation against real-world dictionaries.
Type de document :
Communication dans un congrès
Technology and Practice of Passwords - International Conference on Passwords, PASSWORDS, Dec 2014, Trondheim, Norway. 2014
Liste complète des métadonnées

Littérature citée [5 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01119953
Contributeur : Amrit Kumar <>
Soumis le : mardi 24 février 2015 - 14:29:46
Dernière modification le : mardi 13 décembre 2016 - 15:43:07
Document(s) archivé(s) le : vendredi 29 mai 2015 - 09:35:47

Fichier

pwdaudit.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-01119953, version 1

Collections

Citation

Amrit Kumar, Cédric Lauradoux. Private Password Auditing : Short Paper. Technology and Practice of Passwords - International Conference on Passwords, PASSWORDS, Dec 2014, Trondheim, Norway. 2014. 〈hal-01119953〉

Partager

Métriques

Consultations de
la notice

210

Téléchargements du document

255